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The  Role  of  the  Office  of  Inspector  General 
in  Identifying  Risks  at  a  Government  Agency 


By  Inspector  General  Richard  Moore  and  Ben  Wagner 

In  this  article,  we  examine  the  intersection  of  fed¬ 
eral  agency  responsibility  for  accurately  assessing 
and  dealing  with  risks  to  the  agency  and  the  role  of 
the  Inspector  General  in  this  important  area.  When 
the  inevitable,  “Where  was  the  IG?”  comes  after  an 
agency  crisis,  we  should  have  a  good  answer.  Was 
the  risk  that  resulted  in  a  crisis  on  the  IG’s  radar?  If 
not,  why  not?  The  role  of  the  IG,  as  we  discuss  here, 
is  not  to  supplant  the  agency’s  responsibility  to 
properly  identify  and  control  risks  but  to  accurately 
assess  the  sufficiency  of  the  agency’s  risk  manage¬ 
ment  program  and  to  identify  risks  not  recognized 
by  the  agency  as  appropriate.  If  the  agency’s  enter¬ 
prise  risk  management  program  is  comprehensive, 
the  IG  can  rely  with  some  confidence  on  the  pro¬ 
gram  to  allocate  scarce  OIG  resources  for  focused 
audits,  inspections  and  investigations. 


“In  the  past,  many  companies 
focused  ris  ({identification  on  past 
fosses,  failures  and  incidents  ” 

GETTING  IT  ON  THE  RADAR:  DEVELOPING 
A  ROBUST  ENTERPRISE  RISK  MANAGEMENT 
PROGRAM 

In  today’s  world,  how  effective  a  business  or  gov¬ 
ernment  agency  is  at  identifying  its  risks  and  taking 
action  to  reduce  those  risks  can  be  the  difference 
between  success  and  failure.  Managing  risk  is  a 
challenging  endeavor.  In  the  past,  many  companies 
focused  risk  identification  on  past  losses,  failures 
and  incidents.  Today,  companies  and  government 
agencies  are  well  advised  to  actively  seek  out  the 
unknown  and  identify  what  process  deviations  are 
occurring  and  what  negative  workforce  behaviors 


are  occurring  throughout  the  organization  now 
that  could  create  a  significant  risk,  or  more  impor¬ 
tantly,  what  small  deviations  when  added  together 
could  constitute  a  significant  risk  for  the  company. 
Deviations  from  both  organization-approved  stan¬ 
dardized  processes  and  established  workforce  be¬ 
haviors  must  be  caught  in  the  risk  management  net 
early. 

There  are  many  reasons  an  ERM  program 
might  be  ineffective,  but  two  common  causes  are 
(1)  the  agency  or  company’s  organizational  health 
or  culture,  and  (2)  the  design  of  the  ERM  program. 
If  either  of  these  components  is  weak,  the  chance  of 
missing  serious  risks  increases  exponentially. 

THE  ROLE  OF  CULTURE  IN  DEVELOPING  AN 
ERM  PROGRAM 

Private  sector  companies  routinely  pay  consultants 
millions  of  dollars  to  design  a  “state  of  the  art”  ERM 
program  only  to  see  them  fail.  The  best-designed 
risk  management  program  is  destined  to  fail  if  the 
culture  of  the  organization  does  not  make  it  safe  for 
employees  at  all  levels  to  raise  risks.  If  employees 
hear  the  words,  “We  want  you  to  raise  risks  you  see 
in  your  work  area,”  but  what  they  see  does  not  sup¬ 
port  those  words,  then  the  double  message  results 
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“Management  sfioukd  6e  a6Ce 
to  depend  on  empCoyees  to  take 
responsi6dity  for  identifying  risky.  ” 

in  a  culture  that  does  not  support  “raising  your 
hand.”  Managers  who  see  other  managers  fired  or 
moved  because  they  offered  a  position  that  conflicts 
with  upper  management  will  quickly  recognize  talk 
about  “risk  management”  as  simply  that — talk.  The 
key  is  creating  a  safe  environment  where  differing 
opinions  can  be  shared  in  a  mutually  respectful 
manner. 

Communicating  priorities  so  that  employees 
know  they  have  been  heard,  whether  their  ideas  are 
followed  or  not,  engenders  trust  in  leadership  and 
a  willingness  to  “raise  your  hand”  again.  Recruiting 
employees  at  all  levels  of  an  organization  is  critical 
for  an  effective  risk  management  system.  Relying 
on  only  leadership  (executives  and  managers)  often 
robs  the  system  of  the  observations  of  those  closest 
to  the  risks.  A  culture  in  which  employees  believe 
they  can  safely  have  awkward  conversations  about 
policies  and  practices  is  fundamental  to  an  effective 
risk  management  system.  Identifying  risks  must 
become  a  normal  part  of  every  employee’s  work  life. 
For  the  “new  normal”  to  take  hold,  however,  there 
must  be  a  trust  that  identified  risks  will  be  fairly 
evaluated  without  retaliation.  Few  government  or 
corporate  leaders,  however,  have  the  expertise  to 
create  that  environment  without  specialized  assis¬ 
tance  from  professionals  who  can  objectively  test 
the  culture  of  an  organization  and  take  steps  to 
improve  the  culture  as  required.  Therefore,  those 
organizations  that  have  poor  organizational  health 
are  most  vulnerable  to  unforeseen  risks. 

Creating  a  safe  environment  for  employees  to 
raise  issues  comes  with  a  corresponding  duty  of 
employees  to  follow  clear  behaviors  set  by  the  or¬ 
ganization.  In  other  words,  there  must  be  a  cor¬ 
responding  duty  of  employees  to  be  accountable 
when  management  creates  a  safe  environment  to 
proffer  differing  opinions.  This  is  more  than  simply 
requiring  employees  to  follow  policies  and  proce¬ 
dures  or  to  avoid  engaging  in  unethical  or  illegal 
behavior.  The  organization  should  have  a  list  of  de¬ 
sired  behaviors  that  reflect  the  culture  the  organiza¬ 
tion  aspires  to  have.  These  behaviors  may  include 


such  things  as  give  and  expect  mutual  respect, 
communicate  expectations  clearly,  seek  and  value 
the  opinions  of  others  and  be  comfortable  bring¬ 
ing  up  issues  and  recommending  solutions.  Man¬ 
agement  should  be  able  to  depend  on  employees 
to  take  responsibility  for  identifying  risks.  As  the 
“new  normal”  takes  hold,  risk  identification  and  re¬ 
duction  will  become  part  of  everyone’s  job. 

THE  IMPORTANCE  OF  THE  RIGHT  DESIGN 
FOR  AN  ERM  PROGRAM 

In  addition  to  culture,  the  appropriate  design  of  the 
risk  management  program  is  critical.  The  Commit¬ 
tee  on  Sponsoring  Organizations1  defines  ERM  as 
“. . .  [a]  process,  effected  [sic]  by  an  entity’s  board  of 
directors,  management  and  other  personnel,  ap¬ 
plied  in  strategy  setting  and  across  the  enterprise, 
designed  to  identify  potential  events  that  may  af¬ 
fect  the  entity,  and  manage  risks  to  be  within  its  risk 
appetite  to  provide  reasonable  assurance  regarding 
the  achievement  of  entity  objectives.” 

According  to  COSO’s  framework,  a  mature 
ERM  program  has  risk  management  embedded  in 
how  the  organization  conducts  business.  Execu¬ 
tives  and  line  management  comprehend  and  rec¬ 
ognize  the  value  of  the  program.  Dedicated  risk 
management  resources  are  consulted  by  executive/ 
operational  lines  for  risk  advisory  support  and  rec¬ 
ognized  as  a  strategic  business  driver. 

According  to  the  COSO  report,  enterprise  risk 
management  enables  management  to  effectively 
deal  with  uncertainty  and  associated  risk  and  op¬ 
portunity,  enhancing  the  capacity  to  build  value. 
The  COSO  report  also  states  management  can 


1)  In  September  2004,  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission 
issued  Enterprise  Risk  Management-Integrated  Framework.  The  executive  summary  can  be 
found  at  http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf. 
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maximize  value  by  setting  strategy  and  objectives 
to  strike  an  optimal  balance  between  growth  and 
return  goals  and  related  risks,  and  efficiently  and 
effectively  deploying  resources  in  pursuit  of  the 
entity’s  objectives.  Enterprise  risk  management  en¬ 
compasses: 

•  Aligning  risk  appetite  and  strategy — manage¬ 
ment  considers  the  entity’s  risk  appetite  in 
evaluating  strategic  alternatives,  setting  relat¬ 
ed  objectives  and  developing  mechanisms  to 
manage  related  risks. 

•  Enhancing  risk  response  decisions — enterprise 
risk  management  provides  the  rigor  to  identify 
and  select  among  alternative  risk  responses — 
risk  avoidance,  reduction,  sharing  and  accep¬ 
tance. 

•  Reducing  operational  surprises  and  losses — 
entities  gain  enhanced  capability  to  identify 
potential  events  and  establish  responses,  re¬ 
ducing  surprises  and  associated  costs  or  losses. 

•  Identifying  and  managing  multiple  and  cross¬ 
enterprise  risks — every  enterprise  faces  a 
myriad  of  risks  affecting  different  parts  of  the 
organization,  and  enterprise  risk  management 
facilitates  effective  response  to  the  interrelated 
impacts  and  integrated  responses  to  multiple 
risks. 

•  Seizing  opportunities — by  considering  a  full 
range  of  potential  events,  management  is  po¬ 
sitioned  to  identify  and  proactively  realize  op¬ 
portunities. 

•  Improving  deployment  of  capital — obtaining 
robust  risk  information  allows  management 
to  effectively  assess  overall  capital  needs 
and  enhance  capital  allocation. 

A  mature  program  will  include:  (1) 

a  well-defined  risk  tolerance;  (2)  risks 
that  are  systematically  identified,  as¬ 
sessed  and  communicated;  (3)  deci¬ 
sions  made  with  due  consideration 
to  risk/return  trade-offs;  and  (4) 
specified  and  monitored  risk- 
adjusted  performance  met¬ 
rics.  COSO’s  Enterprise  Risk 
Management  Integrated 
Framework  suggests  the 
chief  executive  should 
assess  the  organiza¬ 
tion’s  enterprise 
risk  management 


capabilities.  In  one  approach,  the  chief  executive 
brings  together  business  unit  heads  and  key  func¬ 
tional  staff  to  discuss  an  initial  assessment  of  en¬ 
terprise  risk  management  capabilities  and  effec¬ 
tiveness.  Whatever  its  form,  an  initial  assessment 
should  determine  whether  there  is  a  need  for,  and 
how  to  proceed  with,  a  broader,  more  in-depth 
evaluation. 

THE  TVA  EXPERIENCE  WITH  RISK 
MANAGEMENT 

Risk  management  at  the  Tennessee  Valley  Author¬ 
ity  before  the  December  2008  Kingston  coal  ash 
spill  was  never  the  subject  of  much  focus  from  TVA 
stakeholders.  That  environmental  disaster  resulted 
in  the  release  of  about  5.4  million  cubic  yards  of 
coal  ash  spilling  onto  adjacent  land  and  into  the 
Emory  River,  more  than  a  billion  dollars  in  cleanup 
costs  and  litigation.  After  the  spill,  both  TVA  man¬ 
agement  and  its  stakeholders  have  taken  a  hard 
look  at  how  well  TVA  manages  risks. 

TVA’s  evolution  was  probably  similar  to  other 
government  agencies  and  private  sector  companies 
through  the  years.  That  is,  the  design  evolved;  the 
culture  did  not.  While  the  components  of  ERM 
improved  significantly,  the  program  was  not  sup¬ 
ported  by  a  healthy  corporate  culture.  At  the  time 
of  the  Kingston  coal  ash  spill,  TVA  ranked  in  the 
lower  fourth  quartile  of  organizational  health 
when  benchmarked  against  other  utilities. 

TVA  > 

Sets  forth  TVA's  long  term  objectives,  consistent 
with  its  mission  and  the  TVA  Act  > 


ANNUAL  BUDGET 
Adopted  by  Board  of  Directors,  sets  forth  rates, 
financing  and  capital  plan  for  the  enterprise 


ANNUAL  SBU/BU  BUSINESS  PLAN 

Establishes  how  resources  will  be  deployed  at  the  SBU/BU 
level  in  support  of  TVA's  corporate  objectives,  including  risk 


RISK  INFORMED  BUSINESS  PLAN 

Sets  out  the  SBU/BU  response  to  its  most  significant  risk  and 
acts  as  a  platform  by  which  it  can  align  resources  to  better 
manage  those  risks  . 


SEMIANNUAL  SBU  RISK  ASSESSMENT 
Establishes  context,  serves  to  assist  SBU/BU 
with  the  assessment  of  its  risks 
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Among  other  things,  this  meant  that  confidence 
in  TVA  leadership  was  low,  that  it  was  safe  to  raise 
one’s  hand  and  that  employees’  concerns  about  risks 
would  receive  a  fair  assessment.  Fortunately,  the 
TVA  board  and  TVA’s  leadership  recognized  the  im¬ 
portance  of  improving  TVA’s  culture  after  Kingston 
and  started  a  process  to  address  the  culture  issues. 

What  difference  does  it  make  to  an  organiza¬ 
tion’s  risk  management  program  that  its  organiza¬ 
tional  health  is  improving?  Employees  who  believe 
that  management  is  demonstrating  respect  for  their 
opinions  and  is  making  it  safe  to  offer  differing 
opinions  will  volunteer  the  discretionary  effort  it  of¬ 
ten  takes  to  raise  a  potential  risk.  Employees  begin 
to  align  with  the  vision  and  goals  of  the  organization 
and  view  risks  no  longer  as  just  problems  for  man¬ 
agement  but  risks  for  their  success  as  individuals. 
Risk  identification  appears  now  to  be  driven  deeper 


into  the  agency  and  the  best  information  about  risk 
seems  to  be  getting  the  right  analysis.  The  ultimate 
success  of  TVA’s  on-going  culture  change,  there¬ 
fore,  will  likely  have  a  pronounced  effect  on  the  ul¬ 
timate  success  of  its  risk  management  program. 

Currently,  TVA  has  a  chief  risk  officer  with  a 
staff  dedicated  to  facilitating  discussions  about  risk 
within  TVA.  The  risks  that  are  identified  in  these 
discussions  are  evaluated,  and  the  risks  are  ranked 
with  mitigation  plans  to  reduce  them  as  appro¬ 
priate.  The  CEO  meets  periodically  with  the  Risk 
Council,  made  up  of  senior  executives,  to  review 
and  discuss  emerging  risk  issues.  Additionally,  the 
TVA  Board  of  Director’s  Audit,  Risk,  and  Regula¬ 
tion  Committee  routinely  reviews  the  top  ranked 
risks  and  the  related  mitigation  efforts.  The  OIG 
serves  in  an  advisory  capacity  by  routinely  meeting 
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with  the  chief  risk  officer  to  stay  abreast  of  emerging 
risk  issues. 

Through  time,  TVA’s  ERM  program  has  evolved 
to  the  point  that  it  is  now  embedded  in  how  the 
company  conducts  business,  and  it  has  progressed 
significantly  since  the  Kingston  spill.  Particularly 
noteworthy  is  that  risk  management  discussions 
occur  at  the  plant  level,  and  employees  with  direct 
knowledge  of  operations  and  risk  identify  issues.  As 
a  result,  the  number  of  risks  identified  has  grown 
substantially.  These  risks  are  rolled  up  into  19  risk 
areas  that  are  judged  significant  enough  to  impact 
TVA  as  an  enterprise.  (See  chart  on  page  5.) 

DEVELOPING  CLARITY  AROUND  THE  ROLE 
OF  THE  OFFICE  OF  INSPECTOR  GENERAL 
IN  ASSESSING  AN  ENTERPRISE  RISK 
MANAGEMENT  PROGRAM 
The  scope  of  responsibility  for  an  OIG  in  risk 
management  does  not  appear  to  have  been  the 
subject  of  much  public  debate.  Agency  risks  differ 
significantly  based  upon  the  varied  missions  of 
federal  agencies  and,  correspondingly,  the  work  of 
IG  offices  differ  based  on  the  specific  responsibilities 
of  their  respective  agencies.  All  IG  offices,  however, 
regularly  engage  in  risk  assessments  for  their 
respective  agencies  without  necessarily  evaluating 
the  ERM  program  specifically.  As  we  noted  above, 
two  critical  components  of  a  robust  ERM  program 
are  organizational  health  and  the  right  design  for 
the  program.  An  examination  of  both  would  seem 
to  be  a  logical  part  of  any  OIG’s  work.  The  “best  in 
class”  private  sector  companies  seem  to  appreciate 
that  organizational  health  and  risk  assessment 
are  both  key  to  performance  or  “the  bottom  line.” 
Federal  agencies  will  perform  better  and  more 
likely  achieve  their  stated  goals,  if  like  their  private 
sector  counterparts,  they  understand  what  makes  a 
healthy  culture  and  what  is  needed  to  have  a  robust 
ERM  program.  SO 


Richard  Moore 

Richard  W.  Moore  was  sworn  in  as  TVA’s 
first  presidentially-appointed  inspector 
general  May  9,  2003. 

From  1985  undl  his  confirmation 
as  inspector  general,  Moore  served  as 
assistant  U.S.  attorney  for  the  Southern 
District  of  Alabama.  During  that  time,  he 
prosecuted  a  variety  of  federal  crimes  including  government 
program  fraud  cases,  bank  and  insurance  fraud  cases,  official 
public  corruption  and  federal  RICO  cases.  He  also  served  at 
various  times  as  the  senior  litigation  counsel  and  as  chief  of 
the  Criminal  Division  in  the  Southern  District.  From  1 997 
to  1998,  Moore  was  an  Atlantic  Fellow  in  Public  Policy  at 
Oxford  University,  Oxford,  England,  where  he  conducted 
an  independent  study  on  the  prosecution  of  complex 
international  fraud  cases.  Prior  to  serving  with  the  U.S. 
Attorney’s  Office,  he  was  in  private  practice  in  Mobile,  Ala., 
and  Cleveland,  Ohio. 

Moore  attended  undergraduate  school  at  Spring  Hill 
College  in  Mobile,  Ala.,  graduating  summa  cum  laude 
with  a  Bachelor  of  Science  degree.  He  graduated  from  the 
Cumberland  School  of  Law  in  Birmingham,  Ala.,  with  a 
Juris  Doctor  degree. 

Moore  served  as  chair  of  the  investigations  committee 
of  the  Council  of  the  Inspectors  General  on  Integrity  and 
Efficiency  from  May  2009  to  April  2011. 

Ben  Wagner 

Ben  Wagner  serves  as  the  deputy 
inspector  general  for  the  Tennessee 
Valley  Authority  and  is  responsible 
for  the  management  of  the  day-to- 
day  operations  of  the  TVA  Office  of 
Inspector  General. 

Prior  to  serving  as  the  deputy 
inspector  general,  Wagner  served  as  the  assistant  inspector 
general  for  audits  and  inspections  and  was  responsible  for 
the  management  of  the  OIG  audit  program.  Additionally, 
Wagner  has  held  other  management  positions  in  the 
administrative  and  audit  operations  of  the  OIG.  Before 
working  in  the  OIG,  Wagner  held  various  management 
and  staff  positions  primarily  in  the  TVA  nuclear  power 
program. 
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The  Balanced  Scorecard:  An  Effective  Performance 
Tool  for  Offices  of  Inspector  General 


By  Inspector  General  Scott  Dahl  and  Kathleen  Frampton 

In  President  Barack  Obamas  2011  State  of  the 
Union  address,  he  remarked,  “We  shouldn’t  just 
give  our  people  a  government  that’s  more  afford¬ 
able.  We  should  give  them  a  government  that’s 
more  competent  and  more  efficient.”1  At  a  time  of 
increasing  fiscal  austerity,  all  government  organiza¬ 
tions,  including  offices  of  inspectors  general,  must 
manage  and  improve  performance  to  be  more  ef¬ 
ficient  and  effective.  Employing  performance 
management  systems,  like  the  Balanced  Scorecard 
performance  management  tool,  can  facilitate  per¬ 
formance  improvement  and  provide  OIG  manag¬ 
ers  with  the  necessary  data  to  make  informed  deci¬ 
sions. 

PERFORMANCE  MANAGEMENT 
CONSISTENT  WITH  OIG  MISSION  AND 
VALUES  HEALTH,  SAFETY  AND  WELFARE  OF 
MEN  AND  WOMEN  IN  UNIFORM 
Much  of  an  OIG’s  attention  is  properly  focused  on 
improving  an  agency’s  programs  and  operations, 
but  an  OIG  also  must  look  internally  to  improve 
its  own  operations  and  processes  to  deliver  timely, 
relevant  and  high-impact  oversight  to  stakeholders. 
To  make  OIG  operations  more  efficient  and  effec¬ 
tive,  OIG  managers  need  sufficient  data  and  met¬ 
rics  on  performance  to  benchmark  progress  and 
make  strategic  decisions  about  effective  resource 
allocation. 

Many  OIGs  develop  strategic  plans  identify¬ 
ing  organizational  goals  and  objectives,  establish 
metrics  to  track  performance  and  develop  specific 
strategic  initiatives  to  improve  processes  or  per¬ 
formance.  Likewise,  the  Council  of  the  Inspectors 
General  on  Integrity  and  Efficiency  recently  ad¬ 
opted  a  five-year  strategic  plan  that  incorporates 
specific  performance  measures  tied  to  its  strategic 

1)  Address  Before  a  Joint  Session  of  the  Congress  on  the  State  of  the  Union,  2011,  Daily 
Comp.  Pres.  Doc.  1  (Jan.  25,  2011) 


goals  and  objectives.  The  CIGIE  plan  identifies 
strategic  and  far-reaching  objectives  and  targets, 
which  CIGIE  management  believes  are  attainable 
and  will  improve  CIGIE’s  service  to  its  members, 
Congress  and  the  public. 

A  familiar  saying  “what  gets  measured  gets 
done”  provides  the  foundation  for  performance 
management.  The  key  to  the  success  of  perfor¬ 
mance-management  initiatives  is  linkage  of  the 
organization’s  mission  with  a  system  for  measur¬ 
ing  and  tracking  the  performance  on  goals  and 
deliverables.  A  performance  management  system 
provides  data  points  on  how  well  the  organization 
is  performing  in  the  various  functional  areas.  It 
thereby  plays  an  important  role  in  strategic  deci¬ 
sion-making  by  highlighting  those  areas  that  are 
not  performing  as  expected  or  identifying  areas  in 
need  of  improvement  or  greater  management  at¬ 
tention. 

In  addition,  OIG  managers  can  use  the  data 
from  the  performance  management  system  to 
communicate  with  staff  about  how  well  the  organi¬ 
zation  is  doing  on  achieving  its  strategic  objectives. 
The  increased  awareness  will  help  to  focus  the  staff 
on  the  highest  priorities  and  will  enhance  organi¬ 
zational  transparency  and  accountability.  The  data 
also  can  be  used  to  make  mid-course  program¬ 
matic  corrections  during  the  year,  making  the  OIG 


“JLfamifiar  saying  “what  gets 
measured  gets  done”  provides 
the  foundation  for  performance 
management.  ” 
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more  flexible  and  adaptive  to  address  emerging  is¬ 
sues. 

Moreover,  a  performance  management  system 
will  assist  in  making  the  most  efficient  resource  al¬ 
locations.  Almost  all  agency  budgets  have  been  cut 
and  are  being  closely  scrutinized  for  further  reduc¬ 
tions.  OIGs  are  likewise  experiencing  correspond¬ 
ing  budget  cuts.  Despite  cuts,  many  statutory  re¬ 
quirements  for  OIGs  are  unremitting,  and  in  fact, 
in  some  cases,  the  requirements  have  increased.  As 
a  result,  we  have  to  do  more  with  less.  Performance 
management  is  an  enabler,  helping  managers  align 
resources  to  the  highest  priority  projects. 

THE  BALANCED  SCORECARD  APPROACH 
A  performance  management  system  widely  ac¬ 
cepted  in  the  private  sector,  and  more  recently  in 
government  and  not-for-profit  organizations,  is  the 
Balanced  Scorecard  approach.  Prior  to  the  1990s, 
business  managers  primarily  used  financial  data  to 
determine  the  health  of  a  business  and  make  stra¬ 
tegic  business  decisions.  Financial  data  generally 
provides  a  historic  picture  of  performance,  but  re¬ 
lying  solely  on  this  backward  look  at  performance 
is  not  optimal  in  making  strategic  decisions  to  drive 
future  performance.  It  omits  critical  data  about  or¬ 
ganizational  performance,  such  as  employee  train¬ 
ing  and  development  and  customer  satisfaction.  In 
the  early  1990s,  Robert  Kaplan  and  David  Norton 


introduced  the  Balanced  Scorecard,  a  strategic  and 
operational  tool  linking  financial  and  nonfinancial 
data  to  indicate  organizational  performance  and 
enable  better  strategic  decision  making.2 


2)  Kaplan,  R.S.  &  Norton,  D.P.  (1992,  January/February).  The  Balanced  Scorecard-Measures 
that  Drive  Performance.  Harvard  Business  Review,  70(1). 


Key  to  the  BSC  is  the  interrelationship  of  four 
perspectives  on  which  the  BSC  is  based:  customer 
data,  learning  and  growth  (of  employees),  internal 
processes  and  financial  data.  Financial  and  custom¬ 
er  data  are  historic  or  lagging  indicators,  whereas 
internal  processes  and  learning  and  growth  are  for¬ 
ward  looking,  or  leading  indicators,  and  are  drivers 
for  future  performance.  BSC  enables  managers  to 
align  the  vision  and  strategy  implementation  with 
operations  by  measuring  performance  across  the 
four  perspectives.  These  cause-and-effect  relation¬ 
ships  between  leading  and  lagging  indicators  pres¬ 
ent  a  clear  picture  of  factors  affecting  performance. 
Strategy  implementation  is  fueled  by  measuring 
and  managing  mission-critical  success  factors 


across  the  four  BSC  perspectives,  which  in  turn 
leads  to  mission  accomplishment. 

In  addition,  the  BSC  is  an  important  com¬ 
munication  tool,  providing  employees  and  stake¬ 
holders  with  a  clear  and  concise  understanding  of 
important  factors  to  accomplish  the  organizations 
mission.  Communication  is  critical  in  successfully 
implementing  a  BSC.  Employees  need  to  under¬ 
stand  how  the  work  they  do  feeds  into  organiza¬ 
tional  performance  and  strategy.  The  BSC  provides 
clear  linkages  from  work  to  mission  accomplish¬ 
ment.  For  stakeholders  (funders,  appropriators  and 
customers),  a  BSC  demonstrates  accountability  and 
a  willingness  to  be  transparent. 

An  outgrowth  of  the  internal-processes  per¬ 
spective  and  an  important  component  of  the  BSC  is 
process  improvement.  Process  improvement  drives 
organizational  change  and  promotes  innovation 
by  evaluating  the  status  quo  and  considering  new 
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ways  of  doing  business.  By  identifying  those  mis¬ 
sion-critical  processes  and  empowering  employees 
to  re-engineer  those  processes,  breakthroughs  in 
organizational  efficiency  can  occur. 

Overall,  the  BSC  is  a  tool  that  provides  a  frame¬ 
work  for  organizations  to  take  a  holistic  view  of  the 
organization  to  determine  what  progress  is  being 
made  and  lagging  indicators.  It  also  enables  organi¬ 
zational  leaders  to  identify  areas  that  need  manage¬ 
ment  attention,  whether  to  improve  performance 
or  change  processes.  When  fully  integrated  into  the 
fabric  of  an  organization,  BSC  serves  as  a  strategic 
management  system,  measurement  system  and 
communications  tool. 

In  developing  its  five-year  strategic  plan,  CIGIE 
used  the  BSC  framework.  Several  OIGs  also  have 
used  or  are  developing  strategic  plans  based  on  the 
BSC  framework.  A  helpful  resource  guide  for  de¬ 
veloping  BSC  for  an  OIG  is  Paul  Nivens  book,  “Bal¬ 
anced  Scorecard  Step-By-Step  for  Government  and 
Nonprofit  Agencies.”3 

APPLICATION  OF  THE  BALANCED 
SCORECARD  IN  OFFICES  OF  INSPECTOR 
GENERAL 

The  OIG’s  mission  as  agency  watchdog  opens 
countless  avenues  for  expending  limited  resourc¬ 
es.  OIGs  must  have  effective  systems  and  pro¬ 
cesses  to  guide  work  planning  and  better  focus 
resources.  The  systems  also  allow  us  to  assess  our 
performance  in  meeting  our  organizational  goals. 
The  BSC  approach  dovetails  neatly  with  OIG  first 
principles,  because  it  is  grounded  in  an  organiza¬ 
tions  strategic  plan  and  core  values,  including  ac¬ 


Improve  agency 
programs  a 
operations 


Increase 
operational  | 
efficiency  and 
effectiveness. 


Increase 
^organization 
capacity. 


3)  Id.  (2008). 


countability,  performance  excellence  and  integrity. 
Because  oversight  of  the  agencies  for  which  we  are 
responsible  centers  on  holding  these  organizations 
accountable,  to  be  responsible  and  credible,  we 
also  should  hold  ourselves  accountable  to  how  well 
we  are  performing  against  our  strategic  goals.  We 
should  focus  on  our  own  results  and  be  prepared  to 


measure  our  progress  in  achieving  them  to  better 
serve  our  stakeholders. 

Using  the  BSC  approach,  the  OIG  senior  man¬ 
agers  first  establish  the  OIG’s  strategic  goals  and 
then  identify  objectives,  those  activities  or  pro¬ 
cesses  that  must  be  completed  to  achieve  the  stra¬ 
tegic  goals.  OIG  managers  develop  metrics  that 
provide  quantitative  data  to  monitor  progress  to¬ 
wards  achieving  the  objectives.  Some  objectives 
may  cross  OIG  office  boundaries.  For  example,  an 
objective  such  as  “timely  delivery  of  OIG  products” 
will  encompass  audit,  investigation,  legal  analysis 
and  congressional  response  metrics.  This  organiza¬ 
tional  view  of  the  OIG  will  enable  senior  staff  to 
identify  areas  that  warranted  management  atten¬ 
tion  or  process  improvements. 

As  the  OIG  begins  BSC  implementation,  the 
senior  staff  responsible  for  an  objective  will  need 
to  identify  specific  performance  measures  and  tar¬ 
gets.  In  addition,  these  measures  can  be  validated 
and  benchmarked  against  other  OIG  offices.  Many 
measures  are  likely  to  be  focused  on  timeliness, 
which  is  one  of  the  primary  objectives  for  an  OIG. 
Measures  and  targets  can  be  refined  and  adjusted 
through  time  to  better  reflect  the  OIG  mission  and 
strategic  intent. 

In  addition,  some  objectives  may  involve  pro¬ 
cess  improvement  to  make  the  OIG  a  more  efficient 
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and  effective  organization.  An  example  of  process 
improvement  could  include  the  audit  process  to 
improve  quality,  relevance  and  timeliness  of  audit 
reports.  The  outcomes  of  this  process  improvement 
may  involve  defining  the  audit  workflow,  develop¬ 
ing  a  baseline  measure  of  timeliness,  reducing  data 
calls  and  increasing  transparency  for  OIG  leader¬ 
ship.  Another  example  of  process  improvement  on 
the  investigation  side  might  be  hotline  processes  to 
better  standardize  the  intake,  referral  and  review 
process,  increase  timeliness  of  complaint  disposi¬ 
tion  and  develop  a  trend  analysis  of  complaints. 
The  outcomes  of  the  hotline  process-improvement 
project  include  consistent  communications  with 
complainants  during  complaint  review  process,  in¬ 
creased  timeliness  of  complaint  disposition  and  in¬ 
creased  management  attention  to  complaint  trends. 

A  benefit  of  employing  BSC  is  the  ability  of 
managers  at  all  levels  of  the  organization  to  track 
progress,  identify  risks  and  mitigate  those  risks 
before  they  have  become  larger  problems.  BSC  is 
an  excellent  communication  tool  for  providing  the 
entire  organization  a  data-driven  picture  of  perfor¬ 
mance  on  mission  goals.  BSC  can  be  posted  on  the 
OIG  intranet  and  discussed  with  the  staff  through¬ 
out  the  year. 

OIGs  already  gather,  for  various  products, 
much  of  the  data  that  BSC  tracks,  such  as  semian¬ 
nual  reports,  Office  of  Management  and  Budget 
reports,  congressional  responses  and  others.  No 
special  software  or  specialized  training  is  needed  to 
use  BSC. 


“(BSC  is  an  exceCCent 
communication  too  f for  providing 
the  entire  organization  a  data- 
driven  picture  of  performance  on 
mission  goafs.  ” 


LEGISLATIVE  REQUIREMENTS  FOR 
PERFORMANCE  MANAGEMENT 
BSC  can  also  assist  OIGs  in  meeting  statutory  per¬ 
formance  management  requirements.  In  response 
to  presidential  initiatives  beginning  in  the  1990s, 
government  managers  have  focused  on  becoming 
more  results-oriented  and  providing  more  infor¬ 
mation  to  the  public  about  their  operations.  In  ad¬ 
dition,  agencies  are  required  by  the  Government 
Performance  and  Results  Act,  and  more  recently 
the  GPRA  Modernization  Act  of  2010,  to  measure 
and  monitor  performance.  Prior  to  GPRA,  agency 
management  and  decision  making  were  based  on 
activities  and  processes  rather  than  results  and  out¬ 
comes.  A  requirement  of  GPRAMA  is  that  federal 
agencies  must  develop  a  multi-year  strategic  plan 
to  identify  their  mission,  specific  goals  or  objec¬ 
tives  and  define  performance  measures  or  mile¬ 
stones  that  indicate  progress  toward  goal  attain¬ 
ment  and  results.  GPRAMA  also  requires  agencies 
to  provide  data  about  programs  that  cross  agency 
boundaries  and  ensure  quarterly  data  is  available 
on  public  websites.  To  meet  the  requirements  of 
GPRAMA,  BSC  is  a  tool  that  has  a  proven  track  re¬ 
cord  of  enabling  organizations  to  develop  and  im¬ 
plement  strategic  plans  and  to  measure  and  track 
performance. 

In  addition,  federal  regulations  require  that 
agencies  use  a  performance  management  system 
to  evaluate  senior  executive  service  personnel.  Per¬ 
formance  plans  must  include  measurable  results 
and  strategic  planning  initiatives.  Senior  executive 
system  performance  plans  can  be  tied  to  BSC  mea¬ 
sures  and  performance  on  strategic  initiatives,  and 
these  measures  cascade  throughout  the  OIG. 
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CONCLUSION 

The  Balanced  Scorecard  performance  management  sys¬ 
tem  is  a  proven,  flexible,  inexpensive,  and  dynamic  tool 
that  is  easily  adaptable  to  any  organization.  BSC  provides 
a  straightforward  framework  to  more  effectively  define 
the  organizations  priorities,  make  strategic  decisions  and 
evaluate  performance.  In  addition,  BSC  is  an  excellent 
communications  tool  within  the  organization  that  pro¬ 
vides  a  clear  picture  of  its  health  and  priorities,  so 

Scott  Dahl 

Scott  S.  Dahl  was  appointed  as  inspector 
general  of  the  Smithsonian  Institution 
Jan.  16,  2012.  Prior  to  his  appointment, 
Dahl  served  in  other  senior  positions  in 
the  inspector  general  community — first 
as  senior  counsel  to  the  inspector  gen¬ 
eral  at  the  Department  of  Justice,  then  as 
deputy  inspector  general  for  the  Office  of 
the  Director  of  National  Intelligence  (which  oversees  the 
Intelligence  Community),  and  most  recently  as  the  dep¬ 
uty  inspector  general  for  the  Department  of  Commerce. 
Before  joining  the  IG  community,  Dahl  was  a  corruption 
prosecutor  in  the  Public  Integrity  Section,  Criminal  Divi¬ 
sion  of  the  Department  of  Justice,  and  a  trial  attorney  in 
the  Civil  Fraud  Section,  Civil  Division  of  the  Department 
of  Justice.  Prior  to  government  service,  Dahl  was  an  asso¬ 
ciate  at  the  Washington,  D.C.,  law  firm  of  Arnold  &  Porter. 
For  the  past  21  years,  Dahl  has  been  an  adjunct  professor 
at  the  Georgetown  University  Law  Center,  teaching  class¬ 
es  on  professional  responsibility  and  public  corruption. 


Kathleen  Frampton 

Kathleen  Welch  Frampton  currently 
serves  as  a  business  consultant 
in  the  Department  of  Defense. 
She  has  extensive  experience  in 
project  management,  performance 
management,  process  improvement, 
strategy  development,  and 
organizational  studies  and  analyses. 
Frampton  has  served  in  the  Department  of  Commerce 
Office  of  Inspector  General,  National  Weather  Service, 
Office  of  the  Director  of  National  Intelligence  Office 
of  Inspector  General  and  the  Department  of  Veteran 
Affairs.  Prior  to  returning  to  government,  Frampton  was 
a  management  consultant  with  Touchstone  Consulting 
Group.  In  addition,  Frampton  is  adjunct  faculty  at  the 
University  of  Maryland  University  College,  Graduate 
School  of  Management  and  Technology.  She  is  a 
certified  project  management  professional  and  Lean 
Six  Sigma  green  belt. 
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An  Ounce  of  Outreach  is  Worth  a 
Pound  of  Enforcement 


By  B.  Chad  Bungard 

Advances  in  communications  and  technology  have 
granted  people  real-time  access  to  information 
through  social  networking,  mobile  applications 
and  traditional  Web  browsers.  These  days,  we 
would  much  rather  click  a  mouse  or  swipe  a  touch¬ 
screen  than  grab  a  book  from  the  shelf.  This  trend 
has  had  a  seismic  impact  on  American  society;  as  a 
sign  of  the  times,  the  Encyclopedia  Britannica — an 
iconic  publication — recently  discontinued  printing 
hard  copies  after  more  than  two  centuries. 1 

There  were  215  million  Americans  actively2 
using  the  Internet  in  August  2011, 3  according  to 
recent  Nielsen  Internet  usage  data.  During  that 
same  month,  Google  and  Yahoo!  experienced  176 
million  and  149  million  unique  visitors,  respec¬ 
tively.4  A  2010  Pew  Internet  and  American  Life 
Project  Report  revealed,  “Americans  are  turning 
in  large  numbers  to  government  websites  to  access 
information  and  services”  and  “typically  rely  on 
search  engines  to  guide  them  to  their  destination 
when  seeking  government  information  online.”5 
According  to  the  report,  41  percent  of  Americans 
have  downloaded  government  forms.6 

Scam  artists  are  well  aware  of  these  staggering 
numbers.  It  was  only  a  matter  of  time  before  unscru¬ 
pulous  individuals  targeted  the  Social  Security 
Administration — an  agency  that  touches  the  lives 
of  virtually  every  American.  SSA  issues  a  Social 
Security  number  to  all  U.S.  citizens,  permanent 


1)  Julie  Bosman,  After  244  Years,  Encyclopedia  Britannica  Stops  the  Presses,  The  New  York 
Times,  March  13, 2012.  See  http://mediadecoder.blogs.nytimes.com/2012/03/13/after- 
244-years-encyclopaedia-britannica-stops-the-presses. 

2)  Nielsen  Wire,  August  2011 — Top  US  Web  Brands,  September  30,  2011.  See  http://blog. 
nielsen.com/ nielsenwire/ online_mobile/august-20 1 1  -top-us- web-brands. 

3)  Nielsen  estimates  that  Americans  on  average  spent  more  than  30  hours  on  the  Internet 
during  August  2011  and  visited  99  different  websites.  Nielsen  also  estimates  that  275  million 
Americans  had  access  to  the  Internet  during  that  same  period.  Nielsen  Wire,  supra  note  3. 

4)  Id. 

5)  Aaron  Smith,  Government  Online:  The  Internet  Gives  Citizens  New  Paths  to  Government 
Services  and  Information,  PEW  INTERNET  AND  AMERICAN  LIFE  PROJECT,  at  2,  3 
(April  27,  2010).  The  Pew  Report  found  that  87%  of  Internet  users  look  for  information  or 
complete  a  transaction  on  a  government  website.  See  http://www.pewinternet.org/Re- 
ports/2010/Government-Online.aspx. 

6)  Id. 


residents7  and  temporary  working  residents,  and 
SSA  benefit  payments  serve  as  the  financial  lifeline 
to  many  Americans.8 

"... Americans  are  turning  in  targe 
num6ers  to  government  we6sites  to 
access  information  and  services...  ” 

THE  NET  FORMS  SCHEME 
In  2009  and  2010,  a  Google  or  Yahoo!  search  for  a 
“new  or  replacement  Social  Security  card”  would 
likely  have  led  consumers  to  the  website,  ssnhome. 
com  (pictured).  The  site  appeared  at  or  near  the  top 
of  the  search  results  in  the  sponsored  section  of 
both  the  Google  and  Yahoo!  search  engines. 

The  sleek  site  greeted  visitors  with  the  promi¬ 
nent  words,  “Social  Security  Home,”  an  eagle  logo, 
and  a  subtle  image  of  the  U.S.  flag  at  the  top  of  the 
webpage.  An  official-sounding  slogan,  “Securing 
Americas  Promise,”  sat  above  two  large  images  of 
a  Form  SS-5,  SSA’s  Application  for  a  Social  Security 
Card.  The  site  displayed  many  Social  Security- 
related  words  and  phrases,  and  featured  “statement 
of  earnings”  and  “eligibility  quiz”  tabs.  The  site 
offered  the  consumer  the  ability  to  download  the 
SS-5  form  and  avoid  long  lines  by  applying  from 
home.  It  also  contained  images  of  three  official 
federal  government  logos:  the  White  House,  USA. 
gov  and  SSA.  A  click  on  the  first  two  logos  took  the 
consumer  directly  to  the  official  sites;  the  SSA  logo, 

7)  42  U.S.C.  §  405(c)(2)(B). 

8)  As  of  Dec.  21,  2011,  55.4  million  individuals  were  receiving  Social  Security  benefits.  See 
http://www.ssa.gov/OACT/STATS/OASDIbenies.html.  See  also  U.S.  Seniors  Assoc.,  Inc.  v. 
SSA,  423  F.3d  397,  497  (4th  Cir.  2005)  (“The  government  has  a  substantial  interest  in  protect¬ 
ing  Social  Security,  as  the  financial  lifeline  of  most  senior  Americans,  and  it  has  a  strong 
interest  in  protecting  Social  Security  recipients  from  deceptive  mailings”).  It  is  also  important 
to  note  that  SSA  offers  a  robust  Internet  presence,  offering  comprehensive  program  informa¬ 
tion  and  publications,  Social  Security  forms,  and  the  ability  to  file  for  Social  Security  benefits 
online  at  www.socialsecurity.gov. 
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however,  was  not  an  operational  link — leaving  indi¬ 
viduals  with  the  impression  that  they  were  already 
on  SSA’s  official  site. 

The  problem:  the  website  was  a  fake  and  fooled 
thousands  of  people.  Net  Forms,  LLC,  a  Houston- 
based  company,  operated  ssnhome.com  as  part  of  a 
deceptive,  profit-seeking  scheme  by  luring  unsus¬ 
pecting  consumers  into  purchasing  the  Form  SS-5. 
SSA  provides  the  SS-5  at  no  cost  on  its  website, 
accessible  at  www.socialsecurity.gov  or  www.ssa. 
gov,  as  well  as  at  all  SSA  field  offices  and  other  SSA- 
approved  locations  across  the  country.  Net  Forms 
purchased  more  than  a  million  dollars  of  online 
advertising  services  from  Google  and  Yahoo!  to 
ensure  that  online  searches  for  terms  related  to 
obtaining  a  new  or  replacement  Social  Security 
card  would  direct  potential  customers  to  ssnhome. 
com.  Net  Forms  accumulated  significant  revenues 
from  its  sale  of  the  SS-5;  fees  reached  as  high  as 
$29.99  and  often  unbeknownst  to  the  consumer, 
the  site  also  charged  a  $9.99  automatically  renew¬ 
able  annual  membership  fee. 

THE  LAW 

In  1988,  to  combat  a  rise  in  deceptive  mailings  tar¬ 
geting  seniors,  Congress  enacted  Section  1140  of 
the  Social  Security  Act — a  provision  prohibiting 
the  misuse  of  words,  letters,  symbols  and  emblems 
of  SSA.9 *  This  provided  SSA  with  a  consumer  pro¬ 
tection  tool  against  misleading  advertising.  As 
the  Fourth  Circuit  Court  of  Appeals  recognized 
in  United  Seniors  Ass’n,  Inc.  v.  SSA,  “[i]n  passing 
Section  1140,  Congress  sought  to  protect  Social 
Security  recipients  from  potential  identity  theft, 
from  spending  their  Social  Security  benefits  on 

9)  42  U.S.C.  §  1320b-10,  as  implemented  by  20  C.F.R.  part  498. 


organizations  camouflaging  as  governmental 
entities  and  from  endless  solicitations.”10 

In  particular,  Section  1 140  protects  SSA’s  brand 
by  prohibiting  the  use  of  SSA  words  and  symbols  in 
advertisements,  solicitations  or  other  communica¬ 
tions  in  a  manner  that  conveys  the  false  impression 
that  such  item  is  approved,  endorsed  or  authorized 
by  SSA,  or  that  such  person  has  some  connection 
with  or  authorization  from  SSA.11  It  also  prohibits 
the  fee-based  reproduction,  reprinting  or  distribu¬ 
tion  of  SSA  forms,  applications  or  other  publications 
without  authorization  from  SSA.12  For  these  pro¬ 
hibitions,  Congress  made  clear  that  the  use  of  a 
disclaimer  is  not  a  defense.13  This  was  because,  as 
noted  in  the  legislative  history,  “[m]any  consumers 
do  not  read,  or  cannot  read,  disclaimers!.]”14  In 
2004,  Congress  amended  Section  1140  to  also 
prohibit  providing  services  for  a  fee  that  are  avail¬ 
able  directly  from  SSA  free  of  charge,  without  the 
use  of  a  prominent  disclaimer  that  the  product  is 
available  free  of  charge  by  SSA.15 

The  Social  Security  Administrations  Office  of 
the  Inspector  General  aggressively  enforces  Section 
1 140.  The  statute  provides  for  as  much  as  $5,000  in 
civil  monetary  penalties  for  each  separate  violation 
of  the  Social  Security  Act.16  Entities  are  subject  to  a 
separate  penalty  for  each  time  an  individual  visited 
(or  viewed)  a  website  in  violation  of  Section  1140 
or  purchased  an  SSA  form  that  was  sold  without 
proper  authorization.  The  Social  Security  Act 
also  provides  that  a  penalty  of  as  much  as  $25,000 
may  be  imposed  for  each  time  a  violating  broad¬ 
cast  or  telecast  is  viewed.17  Penalties  collected  for 
violations  of  Section  1 140  are  deposited  into  SSA’s 
Old-Age  and  Survivors  Trust  Fund.18 

Congress  initially  enacted  Section  1140  to 
combat  misleading  insurance  marketing  tactics — 
often  referred  to  as  “lead  card”  mailings.19  This  scam 
typically  involved  a  lead  company  sending  mis¬ 
leading  solicitations  to  senior  citizens  to  lure  them 
into  completing  a  reply  card  and  forwarding  highly 
sensitive  personal  information  to  the  company.  This 
lead  company  would  market  this  sensitive  data  to 
insurance  companies,  which  in  turn,  would  solicit 

10)  423  F.3d.  397,  399  (4th  Cir.  2005). 

11)  42  U.S.C.  §  1320b-10,  as  implemented  by  20  C.F.R.  part  498.42  U.S.C.  §  1320b-10(a)(l). 

12)  42  U.S.C.  §  1320b-10(a)(2)(A). 

13)  42  U.S.C.  §  1320b-10(a)(3). 

14)  H.  R.  Rep.  No.  506, 103rd  Cong.,  2nd  Sess.,  at  68  (1994). 

15)  Social  Security  Protection  Act  of  2004, 108  P.L.  203§  204;  42  U.S.C.  §  1320b-10(a)(4)(A). 

16)  42  U.S.C.  §  1320b-10(b)(l). 

17)  42  U.S.C.  §  1320b-10(b)(2). 

18)  42  U.S.C.  §  1320b-10(c)(2). 

19)  See  generally  H.  R.  Rep.  No.  506, 103rd  Cong.,  2nd  Sess.  (1994). 
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‘Wet  (Forms  agreed  to  permanently 
shut  down  its  SS-S  we6site 
operation  and  pay  a  $325, 000 
penaCty  into  the  trust  fund...  ” 

seniors  to  purchase  burial  and  other  private  insur¬ 
ance  policies.  Through  our  aggressive  enforcement 
efforts  over  the  years,  including  countless  hours  of 
investigations  and  litigation,  these  deceptive  SSA- 
related  mailings  are  now  rare.  However,  as  the  Net 
Forms  case  illustrates,  we  are  now  confronting  a 
new  breed  of  misleading  SSA-related  advertising 
via  the  Internet. 

NET  FORMS:  CASE  RESOLUTION 
Net  Forms  went  to  great  lengths  to  shield  its  identity 
and  relationship  with  its  SS-5  website  operation. 
Because  of  the  covert  nature  in  which  Net  Forms 
operated,  we  had  concerns  the  company  would 
shelter  its  assets  from  the  government’s  reach  when 
it  became  aware  of  the  investigation.  Therefore, 
in  partnership  with  the  U.S.  Attorney’s  Office, 
Southern  District  of  Texas,  we  requested  and  the 
court  granted,  ex  parte  injunctive  relief  prohibiting 
Net  Forms  from  operating  its  SS-5  websites  and 
freezing  significant  Net  Forms  assets.  We  reached 
a  settlement  agreement  in  which  Net  Forms  agreed 
to  permanently  shut  down  its  SS-5  website  opera¬ 
tion  and  pay  a  $325,000  penalty  into  the  trust  fund, 
representing  a  disgorgement  of  its  net  profits. 

OUTREACH  EFFORTS 

As  the  Net  Forms  case  wore  on,  tying  up  signifi¬ 
cant  resources,  we  realized  that  we  could  not  rely 
solely  on  litigation  to  stem  the  ever-increasing  tide 
of  Social  Security-related  Internet  fraud.  During 
the  nine  months  investigating  and  litigating  the  Net 
Forms  case,  the  number  of  allegations  of  similarly 
fraudulent  website  operations  grew  exponentially. 

At  the  beginning  of  fiscalyear  20 12,  the  SSA  OIG 
Office  of  the  Counsel  to  the  Inspector  General  ini¬ 
tiated  an  outreach  program  to  combat  the  alarming 
increase  of  Internet-based  violations  of  Section 
1140.  To  combat  this  fraud,  we  met  with  senior 
officials  from  Google,  Yahoo!,  Microsoft  (Bing), 
GoDaddy,  web.com,  Demand  Media,  Discover, 


JPMorgan  Chase,  eBay/PayPal,  Visa,  MasterCard 
and  American  Express.  Our  goal  was  to  educate 
these  companies  about  Section  1140,  discuss  how 
website  operators  are  using  the  Internet  (and  their 
services)  to  commit  fraud  in  violation  of  Section 
1 140  and  discuss  ways  that  we  could  work  together. 
This  outreach  effort  is  helping  us  successfully  fight 
this  fraud  using  a  multipronged  approach,  which 
has  five  key  elements. 

ELEMENT  1:  LEARN  THE  GAME 
The  outreach  meetings  provided  us  with  valuable 
insight  and  knowledge  of  some  of  the  key  technical 
aspects  of  how  individuals  use  legitimate  business 
methods  to  lure  unsuspecting  customers.  For 
example,  we  learned  that  it  is  a  common  practice  to 
use  more  than  one  URL  (or  domain  name)  to  direct 
traffic  to  a  particular  website.  These  additional 
URLs,  referred  to  as  display  URLs,  allow  website 
operators  to  increase  their  presence  in  Internet 
searches  and  direct  more  traffic  and  ultimately 
more  business  to  their  destination  URL. 

ELEMENT  2:  DEVELOP  RELATIONSHIPS 
WITH  KEY  CONTACTS 

We  developed  key  contacts  to  help  us  gather 
information  quickly  and  expedite  action.  Several 
companies  have  worked  with  us  to  establish  mech¬ 
anisms  to  identify  the  website  operators  quickly, 
halt  these  schemes  and  even  prevent  such  activi¬ 
ties  from  starting.  It  used  to  take  us  up  to  several 
months  to  discover  who  was  operating  a  partic¬ 
ular  website;  it  can  now  take  only  hours.  We  have 
also  shut  down  a  website  within  just  a  few  days 
of  learning  of  its  operation;  this  was  not  possible 
before  the  outreach  began. 

ELEMENT  3:  FIND  COMMON  GROUND 
We  conveyed  to  each  company  why  it  was  smart 
business  to  be  proactive  in  fighting  Social  Security- 
related  fraud.  Working  with  us  would  not  only 
protect  the  Social  Security  brand  and  protect 
millions  of  consumers,  but  the  company’s  own 
brand  was  also  at  stake  if  it  conducted  business 
with  fraudulent  entities.  Soon,  after  we  met  with 
one  credit  card  company,  and  it  created  a  filtering 
system,  with  our  assistance,  to  identify  websites 
immediately  that  may  violate  Section  1140  and  that 
accept  (or  purport  to  accept)  its  credit  cards  as  a 
form  of  payment.  The  company  refers  all  websites 
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that  it  identifies  through  this  filtering  system  to 
SSA  OIG  for  review.  This  proactive  method  has 
allowed  us  to  take  immediate  action  to  shut  down 
upstart  websites  operating  in  violation  of  Section 
1140.  For  example,  we  took  action  against  two 
North  Carolina-based  sites,  socialsecuritycardser- 
vice.com  and  social-security-card-now.com,  in  just 
a  few  short  weeks  from  notification;  the  website 
operator  immediately  agreed  to  cease  its  violative 
operations. 

ELEMENT  4:  CHANGE  THE  PLAYING  FIELD 
Based  on  our  outreach  efforts,  Google  and 
Microsoft  (which  powers  both  its  Bing  and 
Yahoo!  search  engines)  modified  their  AdWords 
Terms  and  Conditions  and  Ad  Content  and  Style 
Guidelines  polices,  respectively,  to  protect  its  users 
from  advertisements,  websites  and  businesses  that 
create  the  false  impression  of  a  connection  with  a 
governmental  agency.20  These  new  policies  could 
be  extremely  effective  in  preventing  individuals 
and  entities  from  deceiving  SSA  consumers  using 
Google’s  and  Microsoft’s  advertisement  services 
Google  also  took  quick  action  to  discon¬ 
tinue  its  ongoing  advertising  relationships  with 
two  Internet  companies — Bennett  &  Gray,  LLC 
and  SimpleFilings — until  it  was  satisfied  the  sites 
were  no  longer  acting  in  violation  of  Section 
1 140.  Bennett  &  Gray  of  Lindon,  Utah,  agreed  to 
pay  a  $50,000  civil  monetary  penalty  to  settle  our 
claim  that  the  company  violated  Section  1140.  The 
company  operated  the  websites,  www.sscards.us 
and  www.sscardapplication.com,  which  offered  for 
a  fee,  assistance  in  applying  for  a  new  or  replace¬ 
ment  Social  Security  card.  We  determined  that  the 
websites’  design,  along  with  related  domain  names, 

20)  See  http://support.google.com/adwordspolicy/bin/static.py?hl=en&page=guide.cs&guid 
e= 1 308243&topic=  1 310877&answer=  1 050602  and  http://advertising.microsoft.com/small- 
business/search-advertising/ad-content-guidelines. 


created  the  false  impression  of  a  connection  with 
SSA.  Bennett  &  Gray  voluntarily  redesigned  its 
website  operation  to  bring  it  into  compliance  with 
Section  1140,  and  agreed  to  discontinue  the  use 
of  the  domain  names  www.sscards.us  and  www. 
sscardapplication.com. 

Similarly,  SimpleFilings  agreed  to  discontinue 
the  use  of  the  domain  names,  gov-tax.net/ssn-card 
and  simplefilings.gov-tax.net/ssn-card,  which  we 
deemed  to  be  in  violation  of  Section  1140,  vol¬ 
untarily  made  changes  to  its  website  to  further 
clarify  its  services  and  agreed  to  pay  an  $82,000 
civil  monetary  penalty  to  settle  our  claim  that  the 
company  violated  Section  1140.  We  received  a 
significant  number  of  complaints  of  consumer  con¬ 
fusion  caused  by  the  use  of  these  domain  names. 


“do  date,  our  outreach  efforts  have 
stopped  18  viohative 
Internet  operations...  ” 


ELEMENT  5:  CUT  OFF  THE  MONEY  SUPPLY 
Previously,  we  spent  months  investigating  violative 
websites  only  to  learn  that  they  operated  overseas — 
likely  out  of  our  reach  to  shut  the  websites  down 
and  impose  Section  1140  penalties.  However,  by 
working  closely  with  financial  institutions,  we 
have  been  able  to  effectively  combat  even  overseas- 
based  schemes  without  jurisdictional  impediment. 
Financial  institutions  have  moved  responsibly  and 
quickly  to  stop  accepting  funds  from  sites  that  we 
have  deemed  are  operating  in  violation  of  Section 
1140.  Cutting  off  the  money  supply  provides  a 
quick  end  to  the  fraudulent  activity;  some  sites 
have  shut  down  within  hours  after  financial  institu¬ 
tions  refused  to  process  their  payments 

THE  RESULTS 

In  the  first  few  months  of  fiscal  year  2012,  through 
aggressive  enforcement  and  outreach  efforts,  our 
office  halted  18  Internet-based  fraud  schemes  that 
we  determinedwere  operating  in  violation  of  Section 
1140.  One  of  the  sites,  SocialSecurityCardService. 
com  (pictured  on  page  18),  followed  a  typical 
blueprint  of  deception  for  SS-5  scams.  These  sites 
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typically  included  official-looking  logos  and  images 
of  the  U.S.  flag,  Social  Security  cards  and  SS-5 
applications;  they  also  often  used  deceptive  domain 
names  that  implied  a  false  SSA  connection. 

CONCLUSION 

Protecting  the  SSA  brand  ultimately  protects  SSA 
consumers.  Collaborating  with  the  entities  that  can 
stop  fraud  in  its  tracks  is  not  only  cost-effective, 
but  it  can  also  prevent  fraud  from  ever  occurring. 
This  public/private  sector  endeavor  is  proving  to  be 
a  powerful  one-two  punch  against  Internet  scams. 
To  date,  our  outreach  efforts  have  stopped  18  vio¬ 
lative  Internet  operations  in  less  time  than  it  took 
to  shut  down  the  Net  Forms  website  scheme.  This 
kind  of  enforcement  action  quickly  gets  noticed; 
unscrupulous  individuals  will  think  twice  before 
expending  resources  to  set  up  a  fraudulent  opera¬ 
tion,  and  legitimate  businesses  will  ensure  due 
diligence  in  complying  with  Section  1140.  The  tre¬ 
mendous  success  of  our  outreach  program  in  just  a 
short  time  demonstrates  how  an  ounce  of  outreach 
is  worth  a  pound  of  enforcement,  so 
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What  Social  Media  Has  to  Offer 
Offices  of  Inspectors  General 


By  Nancy  Eyl 

The  federal  government  likes  social  media. 
According  to  the  Government  Accountability 
Office,  as  of  April  2011,  23  of  24  major  federal 
agencies  had  established  accounts  on  Facebook, 
Twitter  and  YouTube.1  As  of  June  2012,  about  700 
different  federal  departments  and  agencies  are  using 
more  than  1,000  Twitter  accounts.2  The  FBI  has 
more  than  250,000  Facebook  fans,  and  NASA  has 
about  2.6  million  Twitter  followers.3  The  General 
Services  Administration  recently  launched  a  social 
media  registry  where  government  agencies  can 
list  up  to  22  different  social  media  platforms  each 
agency  uses  (and  constituents  can  check  whether 
a  site  is  legitimate).  Twitter  donated  its  entire 
archives  to  the  Library  of  Congress.4  Despite  all  this 
activity,  though,  a  recent  report,  rating  34  federal 
executive  agencies’  “Klout  scores”  for  social  media 
impact,  did  not  mention  a  single  Office  of  Inspector 
General.5  Neither  did  GovLoop  and  OhMyGov’s 
Government  Social  Media  Leaderboard,  which  has 
a  separate  category  for  small  agencies.6 

The  Council  of  Inspectors  General  on  Integrity 
and  Efficiency  New  Media  Working  Group  report 
points  out  that  OIGs  actively  using  new  media  are 
a  minority.7  Just  slightly  more  than  half  (39)  of  the 
79  CIGIE  members  polled  responded  to  the  survey 
the  working  group  sent  out.  (In  comparison,  67 

1)  U.S.  Gov’t  Accountability  Office,  GAO-11-605,  Social  Media:  Federal  Agencies  Need  Poli¬ 
cies  and  Procedures  for  Managing  and  Protecting  Information  They  Access  and  Disseminate 
4-5  (2011). 

2)  Ines  Mergel,  Working  the  Network:  A  Manager’s  Guide  for  Using  Twitter  in  Government, 
IBM  Center  for  the  Bus.  of  Gov’t,  May  14,  2012,  at  10. 

3)  See  Government  Social  Media  Leaderboard:  How  does  your  Agency’s  Social  Media  Presence 
Stack  up?,  GovLoop,  http://www.govloop.com/page/government-social-media-leader  (last 
visited  Aug.  1,  2012)  (listing  agencies  according  to  their  social  media  impact). 

4)  Matt  Raymond,  How  Tweet  it  Is!  Library  Acquires  Entire  Twitter  Archive,  Library  of 
Congress  Blog  (APR.  14, 2010),  http://blogs.loc.gov/loc/2010/04/how-tweet-it-is-library- 
acquires-entire-twitter-archive/.  Twitter  donated  its  archive  on  April  14,  2010,  the  same  day 
the  Library  of  Congress’  Twitter  feed  (@librarycongress)  crossed  50,000  followers. 

5)  See  Mergel,  supra  note  2,  at  48.  A  “Klout  Score”  uses  data  from  social  networks  in  order  to 
measure  one’s  social  media  impact  and  reach.  See  Klout,  http://www.klout.com  (last  visited 
Aug.  17,  2012). 

6)  See  GovLoop,  supra  note  3. 

7)  U.S.  Dep’t  of  Homeland  Sec.  Office  of  Inspector  Gen.,  Recommended  Practices  for  Office 

of  Inspectors  General  Use  ofNew  Media,  OIG-11-120  (2011),  available  at  http://www. 

ignet.gov/randp/cigienewmediarptllll.pdf  (focusing  broadly  on  all  forms  of  electronic, 
digitalized,  and  interactive  media,  not  just  social  media). 


of  the  68  CIGIE  members  responded  to  an  earlier 
CIGIE/DHS  OIG  hotline  survey.)8  Only  two-thirds 
(26)  of  new  media  survey  respondents  identified 
themselves  as  “new  media  users.”  Appendix  B  of 
the  report,  which  lists  how  OIGs  use  such  tools 
as  Linkedln,  Twitter,  Facebook,  SharePoint,  RSS 
feeds,  survey  tools,  WebEx,  YouTube  and  Max, 
shows  that  most  OIGs  using  new  media  largely  use 
internal  tools.  Few  are  invested  in  interactive  social 
media.  The  report  highlights  several  creative  uses  of 
interactive  media,  including  that  National  Archives 
and  Records  Administration  OIG  uses  Facebook 
to  help  recover  missing  documents  and  other  arti¬ 
facts,  and  the  U.S.  Postal  Service  OIG  involves  the 
public  in  ongoing  audits  through  its  Audits  Projects 
blog.9  However,  as  of  the  survey,  only  one  OIG  used 
YouTube,  nine  OIGs  used  Twitter,  and  three  used 
Facebook.  In  addition  to  the  fact  that  few  OIGs  are 
using  social  media  interactively,  not  all  investiga¬ 
tors,  auditors  and  inspectors  routinely  use  social 
media  to  collect  information.  It  also  is  unlikely  that 
most  OIGs  follow  social  media  trends  on  the  issues 

“Fhe  report  hip f fights  severaf 
creative  uses  of  interactive  media, 
incfucfing  that  ffifationaf Archives 
and  (Records  Administration  OlCj 
uses  Face6ooh^to  hefp  recover 
missing  documents  and 
other  artifacts...  ” 

8)  U.S.  Dep’t  of  Homeland  Sec.  Office  of  Inspector  Gen.,  Recommended  Practices  for  Office  of 
Inspector  General  Hotlines  2  (2010),  available  at  http://www.ignet.gov/randp/ighotlinel010.pdf. 

9)  See  United  States  Postal  Serv.,  http://auditprojects.uspsoig.gov/  (last  visited  Aug.  1,  2012). 
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they  oversee  or  monitor  their  agency’s  activities 
and  performance  through  social  media  analytics. 

Two  questions  arise.  First,  why  aren’t  more 
OIGs  incorporating  social  media  into  regular 
operations?  Second,  how  are  the  OIGs  using  social 
media  actually  using  it?  Are  they  using  it  to  its  full 
advantage? 

In  this  article,  I  will  describe  some  of  the 
benefits  that  social  media  offer.  Although  I  practice 
law  at  an  OIG,  I  do  not  intend  to  cover  social  media 
legal  issues  or  give  legal  advice.10  Rather,  I  will 
discuss  how  social  media  can  help  OIGs  do  three 
things  critical  to  the  OIG  mission:  collect,  dissemi¬ 
nate  and  exchange  information.  I  then  will  offer 
two  additional  reasons  as  to  why  OIGs  need  to  be 
aware  of  social  media.  First,  employees  are  using  it 
whether  an  OIG  does  or  not,  and  employees  need 
guidance.  Second,  the  Obama  Administration 
increasingly  is  requiring  agencies  to  leverage  digi¬ 
talized  technology,  and  social  media  is  a  part  of 
that.  In  the  conclusion,  I  discuss  factors  that  make 
it  hard  to  justify  ignoring  social  media.  By  that, 
I  mean  that  the  privacy,  legal  and  information 
security  issues  are  manageable;  many  resources 
already  exist;  and  an  OIG  can  start  with  less  than 
one  full-time  employee.  Therefore,  for  a  relatively 
little  investment,  an  OIG  may  get  a  big  bang. 

SOCIAL  MEDIA  BENEFITS 
GATHERING  INFORMATION 
Helping  Investigators,  Auditors  and  Inspectors 
Even  in  investigations  focused  on  only  one  person, 
social  media  can  help  investigators  find  a  sub¬ 
ject’s  other  email  addresses;  telephone  numbers; 
addresses;  social  media  monikers;  hidden  assets; 
the  spoils  of  workplace  thefts  being  sold  on  e- com¬ 
merce  and  online  auction  sites;  evidence  of  lavish 
purchases;  travel  destinations;  and  other  facts  to 
help  establish  a  pre-incident  and  post-incident 
timeline.  Social  media  can  establish  motives,  prove 
and  disprove  alibis,  and  establish  crime  or  criminal 
enterprise.  Colleagues’,  neighbors’  or  friends’  posts 
can  provide  many  leads  in  an  investigation,  which 
a  suspect’s  telephone  records  or  bank  account 
information  may  not  show.  Ranging  from  online 
dating  to  video  sharing,  social  media  can  provide 

10)  The  new  CIGIE  permanent  standing  working  group  for  new  media  will,  among  other 
things,  issue  educational  guides  on  legal,  informational  security,  and  privacy  issues.  For 
a  brief  overview  of  the  some  of  the  legal  issues,  see  the  CIGIE  New  Media  Report,  which 
outlines  such  legal  issues  as  records  management,  privacy,  procurement,  terms  of  service, 
intellectual  property,  and  ethics.  Appendix  D  of  the  report  lists  some  applicable  laws  and 
regulations. 


a  lot  of  information  that  may  be  pertinent  to  OIG 
investigations  for  those  trained  to  look  for  it.  Take 
conspiracy,  for  example.  Even  when  private  com¬ 
munications  are  not  readily  available,  just  knowing 
who  is  “friends”  with  whom  can  help  an  inves¬ 
tigator  unravel  a  conspiracy  to  commit  a  crime. 
Social  media  can  reveal  connections  by  two  or 
three  degrees  of  separation. 

“dhinh^of  sociah  media  Cihe 
contemporary  communication 
channel — if  you  tune  in,  you  can 
hear  what  peopCe  are 
tabbing  a6out.  ” 

Similarly,  auditors  and  inspectors  can  use 
social  media  to  gather  information.  Many  busi¬ 
nesses,  state  and  local  governments,  and  other 
entities  have  a  presence  on  social  media  platforms. 
Contract  and  grant  recipients,  whether  individ¬ 
uals  or  entities,  have  social  media  connections,  as 
do  federal  government  employees.11  Auditors  can 
explore  those  connections  to  see  whether  a  local 
government  official  or  federal  contracting  officer 
awarded  a  grant  or  contract  to  a  family  member 
or  close  connection.  As  with  investigators,  social 
media  can  help  auditors  identify  sources  of  ancil¬ 
lary  income;  discover  information  that  a  person 
has  hidden;  and  provide  additional  evidence  of 
fraud  and  wrongdoing. 

Tune  In  to  Social  Media  to  Follow  News 
In  addition  to  helping  investigators  and  auditors, 
social  media  allows  an  OIG  to  follow  public  con¬ 
versations  about  mission-critical  issues.  Think 
of  social  media  like  contemporary  communica¬ 
tion  channels — if  you  tune  in,  you  can  hear  what 
people  are  talking  about.  Keeping  abreast  of  public 
conversations  and  cutting-edge  news  can  help 
OIG  personnel  address  concerns  promptly  and 
effectively.  Following  mainstream  press  no  longer 
suffices.  With  everyday  “citizen-reporters”  often 
breaking  the  news,  any  OIG  public  affairs  office 

11)  Auditors  should  check  with  counsel  before  looking  up  federal  employees’  social  media 
activities  as  part  of  an  audit.  Caveat  notwithstanding,  public  posts  are  public. 
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seeking  information  about  a  crisis  before  the  story 
hits  mainstream  news  needs  to  tune  into  social 
media. 

More  and  more  government  agencies  are 
tuning  in.  According  to  a  Request  for  Information 
that  the  FBI  published  in  January  2012,  “[s]ocial 
media  has  become  a  primary  source  of  intelligence 
because  it  has  become  the  premier  first  response 
to  key  events  and  the  primal  alert  to  possible 
developing  situations.”12  It  “trump [s]  traditional 
first  responders”  including  police,  firefighters, 
EMTs  and  journalists.  With  this  in  mind,  the  FBI 
is  conducting  market  research  “to  determine  the 
capability  of  industry  to  provide  an  open  source 
and  social  media  alert,  mapping,  and  analysis 
application  solution.”  Among  other  required  capa¬ 
bilities,  solutions  must  provide  instant  notification 
of  breaking  events  and  emerging  threats  and  geo- 
locate  them  onto  geo-spatial  maps.  They  also 
must  put  coding  and  critical  infrastructural  layers 
onto  geo-spatial  maps,  including  U.S.  domestic 
and  international  terror  data,  and  U.S.  embassies, 
consulates  and  military  installations  worldwide. 
Finally,  solutions  must  allow  searching  and  moni¬ 
toring  of  all  publicly  available  tweets  or  postings  in 
social  networking  sites. 

DHS  has  been  actively  monitoring  social 
networks  for  at  least  two  years.  In  2010,  the  DHS 
Office  of  Operations  Coordination  and  Planning, 
including  the  National  Operations  Center,  launched 
a  social  networking  monitoring  and  media  capa¬ 
bility  to  help  DHS  components  respond  to  the 
earthquake  in  Haiti  and  the  BP  oil  spill,  and  prepare 
for  the  2010  Winter  Olympics.  In  February  2011, 
DHS  published  a  notice  regarding  a  new  system  of 
records,  stating,  “the  NOC  will  use  Internet-based 
platforms  that  provide  a  variety  of  ways  to  follow 
activity  related  to  monitoring  publicly  available 
online  forums,  blogs,  public  websites  and  message 
boards.”13 

In  addition  to  monitoring  instant  develop¬ 
ments,  an  OIG  also  can  use  social  media  metrics  to 
assess  sentiment  analysis.14  Currently,  most  metrics 
tools  focus  on  private-sector  consumer  behaviors 

12)  Social  Media  Application,  Fed.  Bureau  of  Investigations,  Strategic  Info.  &  Operations  Ctr. 
(Jan.  19,  2012),  https://www.fbo.gov/utils/view?id=7f9abf0ff0fdbal71dll30ddf412aea3. 

13)  DHS/OPS — 004  Publicly  Available  Social  Media  Monitoring  and  Situational  Awareness 
Initiative  System  of  Records,  76  Fed.  Reg.  5603  (Feb.  1, 2011). 

14)  Beware  of  a  backlash.  In  February  2012,  at  a  hearing  before  the  Committee  on  Homeland 
Security’s  Subcommittee  on  Counterterrorism  and  Intelligence,  members  of  Congress  criti¬ 
cized  DHS  for  hiring  a  contractor  to  monitor  criticism  of,  and  public  reaction  to,  DHS  poli¬ 
cies  and  response  activities,  and  policies  of  other  U.S.  government  departments  and  agencies. 
Several  members  expressed  support  for  the  Electronic  Privacy  Information  Centers  proposal 
that  DHS  suspend  the  program,  claiming  that  this  activity  violates  First  Amendment  rights. 


and  business  metrics.  A  Google  search  for  “social 
media  audit”  reaps  plenty  of  information  on  how 
to  measure  a  business’s  performance,  but  nothing 
at  first  glance  seems  tailored  to  the  government. 
This  is  changing.  On  June  4,  the  Navy  issued  a 
solicitation  that  may  help  develop  metrics  tools  for 
the  public  sector.  This  new  tool  will  empower  the 
Navy  to  monitor  the  conversation  “surrounding” 
the  Navy.15  It  also  will  allow  the  Navy  to  measure 
its  ability  “to  effectively  tell  the  Navy’s  story  to 
the  public,”  and  “measure  interaction  (not  just 
passive  consumption)”  and  “advancement  of  key 
messages.”16 

DISSEMINATING  INFORMATION 
In  addition  to  collecting  information,  OIGs  can  use 
social  media  to  disseminate  information.  Doing 
so  could  serve  at  least  three  objectives:  1)  help 
educate  people  about  fraud,  waste  and  abuse;  2) 
help  increase  appropriate  hotline  use;  and  3)  help 
OIGs  control  the  message  about  the  work  they  do 
(rather  than  allowing  other  organizations  to  speak 
for  them).  Despite  some  OIGs’  concerns  about 
public  relations  pitfalls,  disseminating  information 
for  these  purposes  is  a  valid  function  of  the  OIG. 

Social  Media  is  an  Educational  Tool 

Consider  the  numerous  Web  sources  that  say  that 
social  media  is  now  the  No.  1  online  activity.17  An 
August  2011  Pew  Internet  survey  showed  that  65 
percent  of  adults  on  the  Internet  use  social  net¬ 
working  sites — more  than  double  the  percentage 
reported  in  2008. 18  This  represents  half  of  all  adults 
in  the  U.S.19  Given  this  market  share,  social  media 
presents  an  ideal  platform  for  OIGs  to  educate  the 
public — including  federal  government  employees — 
about  preventing,  detecting,  and  reporting  fraud, 
waste,  and  abuse,  and  to  shore  up  confidence  in 

15)  Social  Media  Monitoring:  Solicitation  No.  N00189-12-T-Z131,  Dep’t  of  the  Navy,  https:// 
www.neco.navy.mil/upload/N00189/N0018912TZl3112TZ131.doc  (last  visited  Aug.  17, 
2012).  The  solicitation  states  that  while  the  ability  to  track  direct  mentions  of  a  given  social 
media  alias,  property,  or  hashtag  is  important,  the  Navy  is  “also  interested  in  monitoring  the 
larger  conversation  that  surrounds  its  brand  and  activities  on  a  day-to-day  basis.”  The  Navy 
“requires  the  ability  to  track  the  number  of  times  a  keyword  is  mentioned  in  relation  to  the 
U.S.  Navy . . .  and  the  most  popular  content  (measured  by  views  and  interactions)  across 
the  entire  WWW  mentioning  the  U.S.  Navy  (this  content  is  not  necessarily  produced  by  the 
Navy,  but  relates  to  the  Navy).” 

16)  Id. 

17)  I  am  unable  to  verify  this  statistic,  but  for  what  it  is  worth  some  sources  say  that  social 
networking  reaches  82%  of  the  worlds  online  population,  or  1.2  billion  users.  See,  e.g..  It’s 
a  Social  World:  Top  10  Need-to-Knows  About  Social  Networking  and  Where  It’s  Headed, 
ComScore,  4  (Dec.  21,  2011),  http://www.comscore.com/Press_Events/Presentations_White- 
papers/2011/it_is_a_social_world_top_10_need-to-knows_about_social_networking. 

18)  Mary  Madden  &  Kathryn  Zickuhr,  65%  of  Online  Adults  Use  Social  Networking  Sites, 

Pew  Internet  &  Am.  Life  Project  (Aug.  26,  2011),  http://pewinternet.org/Reports/2011/ 
Social-Networking-Sites.aspx..  The  findings  come  from  national  survey  findings  from  a  poll 
conducted  on  landline  and  cell  phones,  in  English  and  Spanish,  between  April  26  and  May 
22, 2011,  among  2,277  adults  (age  18  and  older).  Id.  at  4. 

19)  Id.  at  2. 
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the  government  through  transparency  and  acces¬ 
sibility.  Several  OIGs  use  their  websites  to  educate 
the  public  about  spotting  and  preventing  Medicaid, 
mortgage,  tax  relief,  and  other  types  of  fraud.  With 
social  media,  however,  OIGs  can  reach  a  broader 
and  growing  audience.  As  social  media  overtakes 
the  Web,  relying  solely  on  a  website  to  educate 
people  may  not  suffice. 

Social  Media  May  Help  Increase  Appropriate 
Hotline  Use 

Second,  using  social  media  to  disseminate  infor¬ 
mation  about  the  OIG  mission  and  hotline  may 
increase  appropriate  hotline  use.  A  2010  CIGIE/ 
DHS  OIG  hotline  report  points  out  that  some 
OIGs  receive  more  than  50,000  hotline  calls  a  year, 
and  many  are  “frivolous,  misdirected,  or  otherwise 
unsuitable  for  further  action  by  the  OIG,  creating  a 
strain  on  a  hotline’s  often  limited  resources.”20  Since 
most  hotline  complaints  do  not  justify  action  by  the 
OIG,21  potential  complainants  need  to  be  educated 
on  the  role  and  authority  of  the  OIG.  Furthermore, 
according  to  the  CIGIE  report,  several  OIGs  do  not 
provide  a  mechanism  for  reporting  waste,  fraud 
and  abuse,  in  violation  of  the  IG  Act.22  In  addition, 
some  do  not  respond  to  complainants  or  track 
calls,  leaving  people  to  wonder  whether  OIGs  are 
listening. 

The  CIGIE  hotline  report  recommends  that 
OIG  hotlines  “aggressively  advertise  the  OIG 
hotline  to  agency  employees  and  the  general 
public.”23  Recommendation  No.  9  states  that  “OIG 
hotlines  should  consider  engaging  in  education 
and  outreach  efforts  to  raise  the  profile  of  their 


20.  U.S.  Dep’t  of  Homeland  Sec.  Office  of  Inspector  Gen.,  supra  note  8,  at  3. 

21.  Id.  at  13. 

22)  Id. 

23)  Id.  at  11. 


hotline  and  its  purpose  to  the  parent  organizations 
employees  and  contractors,  thereby  increasing  the 
number  of  relevant  and  actionable  complaints  the 
hotline  receives.”24  The  report  also  recommends 
that  OIGs  consider  evaluating  technology  and 
consider  using  social  networking  sites  to  facilitate 
hotline  reporting  because  many  individuals  choose 
to  report  via  Internet  instead  of  the  phone,  and  they 
probably  would  report  via  such  social  networking 
sites  as  Facebook,  MySpace  and  Twitter.25 

Using  social  networks  to  facilitate  appropriate 
hotline  reporting  is  working  for  at  least  one  OIG. 
During  fiscal  year  2012,  the  U.S.  Postal  Service  OIG 
referred  to  its  Office  of  Investigations  more  than 
710  leads  originating  from  posts  to  its  Facebook, 
Twitter  and  blog  accounts.26 

SOCIAL  MEDIA  MAY  HELP  OIGS  CONTROL 
THE  MESSAGE 

As  Ines  Mergel  writes  in  a  newly  released  report, 
Twitter  can  be  used  to  control  and  direct  messages 
to  influencers  in  the  network.27  To  what  extent  do 
OIGs  effectively  use  such  social  media  tools  as 
Twitter  to  relay  the  OIG  story?  As  the  GSA  scandal 
on  conference  spending  unraveled,  how  many 
people  had  never  heard  of  GSA  OIG?  Despite 
regular  mention  of  OIGs  in  the  news,  stating  “I 
work  for  an  OIG”  draws  blank  stares  at  dinner 
parties — even  in  Washington,  D.C.  To  non-feds, 
the  federal  government  can  appear  to  be  an  inpen- 
etrable  monolith,  with  little  to  no  accountability. 
This  can  be  changed  if  OIGs  tell  their  own  story. 
Moreover,  if  OIGs  do  not  tell  their  story,  others  will. 

Organizations  such  as  Electronic  Privacy 
Information  Center,  the  Electronic  Frontier 
Foundation,  and  the  Project  on  Government 
Oversight  are  using  social  media  to  reach  people 
and  share  their  respective  missions.  POGO — the 
self-proclaimed  “only  organization  focused  on  the 
inspector  general  vacancies” — has  a  “Where  are  the 
Watchdogs”  page  that  tracks  how  long  inspector 
general  posts  have  been  vacant.28  Its  podcast, 
“Without  Inspectors  General,  What  Government 
Waste  Are  We  Missing?”  discusses  “how  the 
GSA  got  busted.”  But  unlike  most  OIGs,  POGO 

24)  Id.  at  14. 

25)  Id.  at  28. 

26)  Tara  Linne,  the  U.S.  Postal  Service  OIG’s  social  media  director,  shared  this  story. 

27)  Mergel,  supra  note  2,  at  19. 

28)  As  of  Sept.  6,  2012,  this  page  lists  eight  IG  vacancies  ranging  from  223  days  (Securities 
and  Exchange  Commission)  to  1695  days  (Department  of  State).  See  http://www.pogo.org/ 
resources/good-government/go-igi-20120208-where-are-all-the-watchdogs-inspector- 
general- vacancies  1  .html. 
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connects  with  the  public  via  at  least  seven  different 
social  media  outlets:  Twitter,  Facebook,  YouTube, 
Flikr,  podcasts,  RSS  feeds  and  a  blog.  According  to 
POGO’s  social  media  director,  many  people  who 
find  POGO  through  POGO’s  Facebook  page  say 
that  they  did  not  know  there  was  an  organization 
devoted  to  exposing  fraud  and  corruption  in  the 
government.  Although  OIGs  are  not  competing  for 
an  audience,  it  is  sad  to  think  that  (1)  people  may 
not  know  what  an  OIG  is  or  (2)  if  they  know  about 
the  OIG,  they  may  nonetheless  prefer  to  report 
fraud,  waste  and  abuse  to  POGO. 

Controlling  the  message  is  important  because 
OIG  interests  are  not  always  aligned  with  the 
interests  of  other  organizations.  For  example, 
Electronic  Frontier  Foundation  publishes  “When 
the  Government  Comes  Knocking,  Who  Has  Your 
Back?”  which  rates  ISPs,  email  providers  and  social 
networking  sites  based  on  the  extent  to  which  they 
publicly  commit  to  telling  users  when  the  govern¬ 
ment  seeks  data  about  them,  unless  accompanied 
by  a  court  order  or  prohibited  by  law.29  EFF  expects 
such  companies  to  go  to  court  to  fight  for  their 
users’  privacy  interests  and  report  on  how  often 
they  provide  data  to  the  government.  EFF  reports 
on  whether  companies  have  joined  the  “Digital  Due 
Process  Coalition,”  a  group  advocating  for  elec¬ 
tronic  privacy  legislation  requiring  the  government 
to  show  a  court- ordered  warrant  to  access  to  any 
electronic  information.30  In  addition,  EFF  lobbies 
Congress  to  oppose  mandatory  ISP  and  telecom 
data  retention  legislation.31  It  recently  announced  a 
“moment  to  celebrate”  when  a  child  protection  bill 
passed  without  a  data  retention  provision.32 

OIG  Concerns  About  Public  Relations  May  Be 
Based  on  Misunderstanding 
Despite  the  benefits  of  using  social  media  to  dis¬ 
seminate  information,  there  are  some  perceived 
barriers.  The  CIGIE  New  Media  Working  Group 
survey  results  showed  that  some  OIGs  are  con¬ 
cerned  about  using  social  media  for  “public 
relations”  because  such  use  could  make  an  OIG 


29)  See  Elec.  Frontier  Found,  press  release  (May  31,  2012),  https://www.efF.org/press/releases/ 
when-government-comes-knocking-who-has-your-back. 

30)  Id. 

31)  See  Rainey  Reitman,  How  Internet  Companies  Would  Be  Forced  to  Spy  on  You  Under 
H.R.  1981,  Elec.  Frontier  Found.  (Feb.  23,  2012)  (equating  legislation  requiring  ISPs  to  keep 
electronic  data  for  12  months  to  government  spying),  https://www.efF.org/deeplinks/2012/02/ 
how-internet-companies- would-be-forced-spy-you-under-hr- 1981. 

32)  See  Rainey  Reitman,  A  Moment  to  Celebrate:  No  Data  Retention  Mandate  in  Smiths 
New  Child  Protection  Bill,  Elec.  Frontier  Found.  (July  5,  2012),  https://www.efF.org/ 
deeplinks/2012/07/moment-celebrate-no-data-retention-mandate-smith%E2%80%99s- 
new-child-protection-bill. 


appear  self-aggrandizing.  This  concern  may  be 
based  on  a  misunderstanding.  Using  social  media 
is  not  about  emphasizing  the  importance  of  the 
OIG  or  an  OIG  official.  Neither  is  it  about  “puffery” 
or  “self-aggrandizement.”33  Rather,  it  is  about 
education  and  transparency — and  leveraging  tech¬ 
nology  to  maximize  fraud  prevention.  OIGs  would 
not  use  social  media  to  engage  in  such  forbidden 
activities  as  advocating  for  legislation  or  pay  raises, 
or  encouraging  the  public  to  contact  Congress 
regarding  legislation.  On  the  contrary,  they  would 
educate  the  public  about  what  OIGs  are  and  what 
they  do. 

Appropriations  restrictions  on  publicity  and 
propaganda  do  not  prohibit  an  agency’s  legitimate 
informational  activities.34  In  fact,  the  executive 
branch  has  a  duty  to  inform  the  public  regarding 
government  policies.35  Traditionally,  officials  have 
used  government  resources  in  explanation  and 
defense  of  their  policies — even  in  the  absence  of 
specific  direction  or  a  mandate.36  GAO  has  con¬ 
sistently  held  that  public  officials  may  report  on 
the  activities  and  programs  of  their  agencies,  may 
justify  those  policies  to  the  public,  and  may  rebut 
attacks  on  those  policies.37 

In  addition,  some  CIGIE  survey  respondents 
stated  that  directly  engaging  the  public  might 
exceed  the  OIG  mission  since  the  IG  Act  only 
requires  OIGs  to  keep  Congress  and  the  head  of  the 
agency  informed  about  problems  and  deficiencies. 
The  IG  Act  does  not  require  informing  “taxpayers” 
or  “public  at  large.”  While  that  is  true,  all  U.S.  gov¬ 
ernment  agencies  serve  the  taxpayer,  and  OIGs  are 
no  exception.  If  taxpayers  do  not  know  the  OIG 
exists,  how  can  they  appreciate  an  OIGs  service? 
One  could  argue  that  the  public  needs  to  educate 

33)  In  the  past  50  years,  GAO  has  noted  that  one  of  the  main  targets  of  the  publicity  or  pro¬ 
paganda  prohibition  is  when  the  “obvious  purpose  is  ‘self-aggrandizement’  or  ‘puffery.’”  See, 
e.g.,  U.S.  Gov’t  Accountability  Office,  Office  of  the  Gen.  Counsel,  B-284226.2,  Application  for 
Anti-Lobbying  Restrictions  to  HUD  Report  Losing  Ground  (2000);  U.S.  Gov’t  Accountability 
Office,  Office  of  the  Gen.  Counsel,  B-302504,  Medicare  Prescription  Drug,  Improvement, 
and  Modernization  Act  of  2003  (2004).  GAO  has  defined  self-aggrandizement  as  “publicity 
of  a  nature  tending  to  emphasize  the  importance  of  the  agency  or  activity  in  question.”  U.S. 
Gov’t  Accountability  Office,  B-2 12069,  Restriction  Violations  on  the  Use  of  Appropriations 
in  a  Press  Release  by  the  Office  of  Personal  Management  (1983)  (quoting  31  Comp.  Gen. 

311  (1952)),  [GAO’s]  first  decision  interpreting  the  publicity  or  propaganda  prohibition). 

For  example,  an  agency  would  be  prohibited  from  using  appropriated  funds  to  issue  a  press 
release  intending  to  persuade  the  public  as  to  the  importance  of  a  government  agency.  Id. 
(finding  OPM  press  releases  informing  the  public  of  the  Administration’s  position  on  pend¬ 
ing  legislation  unobjectionable). 

34)  Benjamin  S.  Rosenthal,  House  of  Representatives,  B- 184648, 1975  WL  9457  (Comp.  Gen. 
Dec.  3, 1975)  (discussing  an  agency’s  “legitimate  interest  in  communicating  with  the  public”). 

35)  Medicare  Prescription  Drug,  Improvement,  and  Modernization  Act  of  2003,  B-302504, 
2004  WL  523435  (Comp.  Gen.  Mar.  10,  2004)  (citing  B-130961,  Oct.  26, 1972)  (stating  that 
“agencies  have  a  general  responsibility,  even  in  the  absence  of  specific  direction,  to  inform 
the  public  of  the  agency’s  policies”). 

36)  Id. 

37)  Id.  (citing  B-223098,  Oct.  10, 1986)  (stating  that  “public  officials  may  report  on  the  activi¬ 
ties  and  programs  of  their  agencies,  may  justify  those  policies  to  the  public,  and  may  rebut 
attacks  on  those  policies”). 
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itself — and  could  start  by  clicking  on  the  agency 
website  link  to  the  OIG.  But  the  public  increasingly 
expects  the  government  and  other  sources  to  share 
information  and  news  directly  via  social  media. 
Using  social  media  to  publicize  reports  could  help 
educate  the  public  about  OIGs  and  help  OIGs 
become  more  accessible,  transparent,  and  partici¬ 
patory  -  as  good  government  is  envisioned. 

EXCHANGING  INFORMATION 
In  addition  to  collecting  and  disseminating  infor¬ 
mation,  OIGs  can  use  social  media  to  exchange 
information.  Specifically,  rather  than  just  passively 
informing  taxpayers  about  how  to  report  fraud 
or  corruption,  or  tweeting  to  Congress  about  a 
newly  released  report,  OIGs  can  use  social  media 
to  hold  a  digitalized  “town  hall.”  One  IG  recently 
used  a  Twitter  hashtag,  #AsktheIG,  to  collect  ques¬ 
tions  from  an  audience  of  about  2,600  conference 
attendees.38  By  connecting  to  various  outlets,  such 
as  email,  Twitter,  and  Linkedln,  the  IG  addressed 
dozens  of  questions  in  real-time.  Other  federal  gov¬ 
ernment  agencies  do  the  same.  In  January  2012,  the 
Department  of  State’s  daily  press  briefings  opened 
questions  to  Twitter  users  tweeting  to  hashtag 
#AskState.  The  same  month,  the  president  hosted 
his  first  “Hangout  on  Google+,”  a  group  video-chat 
service.  More  than  227,000  people  submitted  topics 
for  discussion.  The  White  House  also  has  held 
Facebook  and  Twitter  town  hall  meetings.  Using 
social  media  like  this  shores  up  public  confidence. 

Social  media  offers  other  opportunities  to  col¬ 
laborate.  For  instance,  in  April  2012  the  Agency  for 
International  Development  announced  the  Tech 
Challenge  on  Atrocity  Prevention,  a  contest  seeking 
technological  solutions  to  improve  the  ability  to 
model  or  forecast  the  potential  for  mass  atrocities 
and  “link  early  warning  to  early  responses.”39  In 
May  2011,  the  Navy  launched  a  computer  game, 
energyMMOWGLI — or  Massive  Multiplayer 
Online  Wargame  Leveraging  the  Internet — to  tap 
players’  ideas  on  how  the  Navy  can  meet  energy 
needs.  According  to  a  Challenge.gov  program 
administrator,  since  September  2010,  46  agencies 
and  bureaus  have  published  challenges,  offering 
prizes  or  recognition  for  top  solutions  to  problems. 
Receiving  300,000  visits  a  month,  Challenge.gov 


38)  Roberta  Baskin  with  HHS  OIG  shared  this  story  about  IG  Daniel  Levinson. 

39)  USAID’s  Tech  Challenge  on  Atrocity  Prevention,  USAID  (Apr.  23,  2012),  http://transition. 
usaid.gov/press/factsheets/20 1 2/fs 1 20423 .html. 


is  a  public-engagement-oriented  division  under 
GSA’s  Office  of  Citizen  Services  and  Innovative 
Technologies.  To  participate,  all  OIGs  need  to  do 
is  get  an  account,  draft  some  specifications  of  a 
problem  to  be  solved  and  then  publish  it.40 

OTHER  REASONS  WHY  OIGS  NEED  TO  BE 
AWARE  OF  SOCIAL  MEDIA 
Besides  the  above-mentioned  benefits,  there  are  at 
least  two  additional  reasons  as  to  why  OIGs  need 
to  be  aware  of  social  media:  OIG  employees  need 
guidance  on  how  to  appropriately  use  social  media 
so  as  to  avoid  conflicts  with  work-related  responsi¬ 
bilities,  and  the  U.S.  Administration  is  increasingly 
requiring  executive  branch  agencies  to  leverage 
technology. 

Employees  Use  Social  Media 

First,  OIG  employees  are  using  social  media  whether 
an  OIG  does  or  not,  and  employees  need  guidance. 
Drafting  internal  guidance  may  be  a  good  idea 
because  employees  not  only  may  use  social  media 
to  talk  about  their  home  lives,  but  also  to  discuss 
bosses,  colleagues  and  other  aspects  of  their  work. 
Employees  untrained  in  social  media  may  cause 
serious  and  unintended  consequences,  including 
compromised  trials,  impeached  witnesses,  cyber¬ 
security  issues  and  personnel  problems.  The  story 
of  the  “Officer  Who  Posted  Too  Much  on  MySpace” 
could  frighten  any  law  enforcement  agency  into 
drafting  a  policy.41  In  interviews,  law  enforcement 
officers  whose  posts  impeached  them  said  if  they 
had  known  that  social  media  could  be  discov¬ 
erable,  they  would  not  have  posted  “that  stupid 
comment.”  But  they  posted  before  their  employer 
had  a  social  media  policy,  and  they  did  not  know 
their  private  social  media  account  activities  could 
be  used  by  defense  counsel  in  court.  A  policy  will 
put  employees  on  notice  that  social  media  is  not  the 
place  for  water  cooler  or  locker  room  bravado  talk. 
Everything  in  social  media  exists  in  perpetuity,  and 


40)  Another  possibility  is  to  seek  an  in-house  solution.  FEMA,  for  example,  designed  a  mo¬ 
bile  app  that  allows  users  to  access  a  checklist  of  disaster  supplies,  checking  what  is  already 
in  the  pantry  so  that  users  know  what  to  buy.  It  includes  an  emergency  contact  page  and 
the  user’s  emergency  plan  -  with  information  stored  on  the  device  and  not  with  the  agency 
(to  address  privacy  concerns).  The  response  part  of  the  app  allows  users  to  find  shelters  and 
disaster  recovery  centers. 

41)  See  Jim  Dwyer,  7 he  Officer  Who  Posted  Too  Much  on  MySpace,  N.Y.  TIMES,  March  10, 
2009.  Dwyer  interviewed  an  officer  whose  MySpace  posts  allowed  someone  to  beat  a  felony 
weapons  charge  at  State  Supreme  Court,  Brooklyn.  The  arresting  officer  posted  before  the 
trial  that  he  was  feeling  “devious”  and  was  “watching  ‘Training  Day’  to  brush  up  on  proper 
police  procedure.”  Id. 
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it  may  be  discoverable.42  In  addition,  not  every¬ 
thing  is  protected  by  the  First  Amendment. 


“...OlCj  empCoyees  are  using 
sociaC media  whether  an  OI(j 
does  or  not ,  and empCoyees 
need  guidance.  ” 


In  the  private  sector,  there  is  a  growing  body 
of  case  law  on  disputes  between  employers  and 
employees  regarding  employees’  private  social 
media  activities.  The  Federal  Trade  Commission 
and  the  National  Labor  Relations  Board,  for 
example,  are  bringing  complaints  against  compa¬ 
nies  arising  from  their  social  media  activities  and 
employee-related  activity.43  Recent  cases  before  the 
NLRB  show  that  social  media  policies  risk  violating 
the  rights  of  employees  as  defined  by  Section  7  of 
the  National  Labor  Relations  Act,  as  amended,  par¬ 
ticularly  when  they  are  so  broad  as  to  restrict  or  chill 
protected  activities  and  employee-related  activity. 
Private  employers  who  fire  or  punish  employees 
using  social  media  to  discuss  such  topics  as  work 
conditions,  terms  and  conditions  of  employment, 
managers,  and  management  may  be  ordered  to 
rehire  such  employees  and  provide  back  pay. 

Social  media  has  become  such  a  “hot  topic” 
at  the  NLRB  since  August  2011  that  the  NLRB’s 
acting  general  counsel  has  issued  three  reports  on 
the  latest  social  media  decisions.44  Practitioners 
following  NLRB  case  law  advise  employers  not 
just  to  draff  a  policy,  but  to  draff  a  policy  that  can 
be  enforced.  Although  the  NLRB  and  FTC  do  not 


42)  See,  e.g..  Trail  v.  Lesko,  2010  WL  2864004,  No.  GD-10-017249  (Allegheny  C.P.  July 
3, 2012)  (holding  that  before  a  requesting  party  will  be  granted  unfettered  “access”  to  a 
Facebook  account,  the  party  must  show  a  “sufficient  likelihood”  that  the  non-public  postings 
would  contain  information  that  is  relevant  to  the  litigation  that  is  “not  otherwise  available”). 
The  analysis  in  Trail  v.  Lesko  varies  from  the  standard  threshold  relevancy  model  adopted 
by  some  courts  and  utilizes  a  balancing  approach  based  on  the  “level  of  intrusiveness.”  The 
bulk  of  this  20-page  opinion  serves  as  an  introduction  to  the  discoverability  of  private  social 
media  content  in  Pennsylvania  and  other  jurisdictions. 

43)  In  2009,  the  FTC  established  endorsement  guidelines  on  what  employees  can  say 
online  about  their  company’s  products  and  services.  See  FTC  Guides  Concerning  Use  of 
Endorsements  and  Testimonials  in  Advertising,  16  C.F.R.  Part  255  (2009).  A  company  can 
be  held  liable  if  its  employees  are  less  than  honest,  and  a  consumer  relies  on  an  employee’s 
comments  to  his  or  her  detriment.  However,  since  companies  cannot  monitor  everything 
that  employees  say,  those  with  a  social  media  policy  can  take  advantage  of  a  “safe  harbor” 
offered  by  the  FTC  in  connection  with  its  amended  guidelines. 

44)  Report  of  the  Acting  General  Counsel  Concerning  Social  Media  Cases:  OM 11-74,  NLRB 
(Aug.  18,  2011);  Report  of  the  Acting  General  Counsel  Concerning  Social  Media  Cases:  OM 
12-31,  NLRB  (Jan.  24,  2012);  Report  of  the  Acting  General  Counsel  Concerning  Social  Media 
Cases:  OM  12-59  NLRB  (May  30, 2012).  In  the  preface  to  the  second  report,  the  Acting  IG 
states  that  social  media  is  a  “hot  topic.” 


have  jurisdiction  over  the  federal  government, 
being  familiar  with  the  issues  is  important. 

The  U.S.  Administration  Increasingly  Requires 
Agencies  to  Use  Digitalized  Technology 

Second,  leveraging  technology  is  increasingly 
becoming  an  executive  agency  requirement. 
The  sooner  an  OIG  invests  in  social  media,  the 
easier — and  arguably  more  efficient — it  will  be  to 
implement  future  mandates.  President  Obama’s 
most  recent  digital  government  mandate  requires 
agencies  to  take  even  more  steps  towards  mod¬ 
ernizing  the  way  they  do  business:  On  May  23, 
2012,  the  president  signed  Building  a  21st  Century 
Digital  Government  to  ensure  that  federal  agencies 
use  emerging  technologies  to  serve  the  public  as 
effectively  as  possible.  On  the  same  day,  the  federal 
chief  information  officer  released  a  corresponding 
strategy,  Digital  Government:  Building  a  21st 
Century  Platform  to  Better  Serve  the  American 
People  (Digital  Government  Strategy),  outlining 
actions  that  agencies  must  take  within  one  year 
and  requiring  them  to  post  a  progress  report  on 
their  websites  by  Aug.  23,  2012.  This  new  strategy 
complements  several  other  initiatives  involving 
technological  innovation  to  increase  efficiency, 
maximize  interagency  sharing  and  provide  better 
services  to  the  public.  These  initiatives  include 
Executive  Order  13571  (Streamlining  Service 
Delivery  and  Improving  Customer  Service); 
Executive  Order  13576  (Delivering  an  Efficient, 
Effective,  and  Accountable  Government);  OMB 
Memorandum  M- 10-06  (Open  Government 
Directive),  and  the  25-Point  Implementation 
Plan  to  Reform  Federal  Information  Technology 
Management  (25-Point  Implementation  Plan) 
(December  9,  2010). 

The  Administration’s  drive  to  move  the  gov¬ 
ernment  into  the  future — “more  nimble,  more  cost 
effective  and  more  citizen-focused,”  according  to 
the  25-Point  Implementation  Plan — reinforces  the 
OIG  mission.  Serving  the  public  is  integral  to  the 
mission  of  every  government  agency,  and  this  is 
also  true  of  OIGs.  As  government  watchdogs,  OIGs 
serve  the  public  by  creating  a  channel  for  complaints 
about  fraud,  waste  and  abuse,  and  by  investigating 
wrongdoing  in  government.  The  digital  initia¬ 
tives  emphasize  reducing  waste  and  redundancy; 
breaking  down  programmatic  and  agency  silos  to 
achieve  more  efficiency;  increasing  transparency; 
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and  pushing  agencies  to  implement  creative  solu¬ 
tions  to  persistent — and  costly — bureaucratic 
problems.  For  example,  the  Digital  Government 
Strategy  and  the  Federal  Information  Technology 
Shared  Services  Strategy  (May  2,  2012)  (action  item 
No.  6  in  the  25-Point  Implementation  Plan),  stress 
“innovating  with  less.”  Given  resource  constraints, 
mission  requirements,  customer  expectations,  and 
rapidly- changing  technology,  “innovating  with  less” 
sounds  like  an  efficiency-minded  policy  that  an  OIG 
could  endorse.  Similarly,  the  OIG  mission  aligns 
with  the  Open  Government  Initiative,  which  aims  to 
create  a  government  more  collaborative,  transparent 
and  participatory. 

CONCLUSION 

In  conclusion,  social  media  offers  many  benefits  to 
OIGs.  No  matter  the  types  of  programs  and  opera¬ 
tions  an  OIG  oversees,  OIG  staff  increasingly  needs 
social  media  to  gather  information.  OIGs  also  can 
leverage  social  media  to  fulfill  other  functions,  such 
as  staying  informed  about  mission-critical  issues, 
educating  the  public  about  the  OIG  mission  and 
hotline,  and  facilitating  interactive  communication. 
Social  media  can  help  OIGs  become  even  more  effi¬ 
cient  and  effective  in  their  operations. 

So,  what  is  holding  some  OIGs  back?  If  social 
media  offered  all  of  the  benefits  outlined  above  but 
presented  unreasonable  barriers,  then  jumping 
into  social  media  would  be  unadvisable.  But  that  is 
not  the  case.  Several  factors  make  it  hard  to  justify 
ignoring  social  media. 

First,  as  the  CIGIE  New  Media  Report  points 
out,  the  legal,  privacy  and  information  security 
issues  are  manageable. 

Second,  many  resources  already  exist.  To  cite 
some  examples,  OMB  and  the  Chief  Information 
Officers  Council  have  released  several  guiding  docu¬ 
ments  to  help  agencies  grasp  some  legal  and  security 
issues  associated  with  social  media.  The  Howto, 
gov  website,  managed  by  GSA  and  the  Federal  Web 
Managers  Council,  provides  sample  policies  and 
guidance  on  federal  Web  requirements  and  policies; 
cloud  computing;  applications;  data  and  Web  infra¬ 
structure  tools;  and  online  citizen  engagement.  The 
Web  Content  Managers  Forum,  a  network  of  3,000 
government  Web  professionals  from  federal,  state, 
and  local  agencies,  maintains  a  professional  net¬ 
working  space  on  OMB  Max  and  holds  monthly 
conference  calls.  The  CIGIE  New  Media  Report 


appendices  include  an  information  security  primer, 
as  well  as  a  list  of  legal  resources  and  OIGs  that 
agreed  to  be  contacted  about  their  experiences  with 
social  media  tools. 

In  addition  to  these  resources,  plenty  of 
training  is  available  for  such  disciplines  as  law, 
public  relations,  investigations,  audits  and  infor¬ 
mation  security.  GSA,  for  instance,  supports  the 
DigitalGov  University,  which  provides  such  training 
as  the  annual  Government  Web  and  New  Media 
Conference.45  In  January  2012,  the  Washington, 
D.C.,  chapter  of  the  Association  of  Certified  Fraud 
Examiners  offered  five  continuing  professional  edu¬ 
cation  credits  for  “Social  Media  and  Implications 
to  the  Fraud  Examiner  Community,”  covering  the 
current  social  media  landscape,  program  and  policy 
issues,  and  investigative  techniques.  As  for  legal 
training,  private  organizations  and  local  bars  offer 
training  on  how  to  use  social  media  tools,  how  to 
write  a  social  media  policy,  etc. 

Third,  although  agency  social  media  activi¬ 
ties  require  input  and  expertise  from  multiple 
disciplines,  an  OIG  can  build  a  social  media  program 
with  one  full-time  employee  or  less.  And  if  one  full¬ 
time  employee  is  not  possible,  what  about  sharing 
a  contractor  with  another  OIG  or  two,  drafting  an 
Economy  Act  agreement,  or  hiring  an  intern?  That 
would  be  a  start.  Even  more  interesting  and  creative, 
perhaps,  are  the  OIGs  that  are  rethinking  the  kinds 
of  talent  they  need.  For  instance,  Craig  Goscha,  the 
Chief  Information  Officer  for  the  Department  of 
Agriculture  OIG,  created  a  new  career  path  in  his 
information  technology  shop  when  he  replaced  a 
departing  manager  with  a  “new  media  coordinator.” 
This  new  IT  position  will  involve  coordinating  and 
designing  all  social  media  platforms,  keeping  track  of 
social  media  developments,  measuring  performance 
of  social  media  efforts,  and  following  forums,  blogs 
and  other  outlets  to  keep  abreast  of  the  issues  the 
agency  is  interested  in.  Goscha  said,  “It’s  hard  to  take 
an  IT  person  who  is  trained  to  design  and  imple¬ 
ment  networks,  infrastructure  and  security  and  ask 
them  to  go  design  code,  and  publish  a  website.” 

Much  can  be  achieved  even  without  a  budget.  The 
go-to  guide  for  government  on  how  to  procure  cloud 
services,  for  example,  was  done  without  authority  or 


45)  Unfortunately,  the  conference  scheduled  for  May  16-17,  2012,  was  postponed  this  year  as 
“part  of  an  ongoing  top-to-bottom  review  of  GSA’s  operations,  including  all  conference  spend¬ 
ing.”  See  Matthew  Weigelt,  GSA  postpones  conference  as  part  of  ‘top  to  bottom  review’,  Fed. 
Computer  Week  (May  11,  2012),  http://fcw.eom/articles/2012/05/l  1/new-media-conference- 
postponed.  GSA  also  sent  an  email  to  those  who  registered  for  the  conference. 
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a  budget.  In  collaboration  with  the  Chief  Acquisition 
Officers  Council  and  the  Chief  Information  Officers 
Council,  the  Federal  Cloud  Compliance  Committee 
published  “Creating  Effective  Cloud  Computing 
Contracts  for  the  Federal  Government:  Best 
Practices  for  Acquiring  IT  as  a  Service,”  in  February 
2012.  Since  the  committee’s  first  meeting  in  March 
201 1  in  the  basement  of  the  Department  of  Housing 
and  Urban  Development,  about  eighty  people  have 
joined  subcommittees  to  work  on  contract  clauses. 
Spanning  across  agencies  and  disciplines  (Freedom 
of  Information  Act,  records,  privacy,  cyber  security, 
procurement  and  legal),  the  committee  holds 
meetings  with  borrowed  space  and  uses  SharePoint 
to  store  documents.46 

The  OIG  community  has  similar  passion 
to  make  ideas  happen.47  The  CIGIE  New  Media 
Working  Group  started  with  an  idea  and  grew  into 
a  permanent  standing  working  group.  Fifteen  OIGs 
sent  representatives  to  regular  meetings  at  DHS 
OIG  from  December  2010  until  September  2011 
to  support  the  first  phase  of  the  work.48  Continuing 
under  the  auspices  of  the  CIGIE  Homeland  Security 
Roundtable,  the  permanent  standing  working 
group  began  meeting  again  in  the  fall  of  2012  and 
soon  will  be  publishing  a  detailed  educational 
guide  on  legal,  privacy  and  information  security 
issues.49  Meanwhile,  OIG  public  affairs  officials — 
“inspired”  by  the  working  group,  according  to  one 
steering  committee  member — created  their  own 
CIGIE  council  and  listserv.50  Initiatives  such  as  these 
show  that  OIG  leadership  and  staff,  like  others  in 
the  government,  appreciate  what  social  media  has 
to  offer.  irJ 


46)  Jodi  Cramer  (Air  Force)  shared  this  history. 

47)  Based  on  my  experience  with  the  Council  of  Counsels  to  Inspectors  General,  I  believe  that 
the  OIG  legal  community  must  be  one  of  the  most  interactive  of  all  government  attorney  as¬ 
sociations.  Among  many  CCIG  initiatives,  a  noteworthy  one  is  the  wiki  on  OMB  Max,  created 
by  Sabrina  Segal  (Counsel  to  the  IG  at  the  International  Trade  Commission). 

48)  A  special  thanks  to  CIGIE  New  Media  Working  Group  members  for  their  hard  work, 
good  humor,  and  passion.  They  are  Raman  Santra  (DOC  OIG);  Gary  Sternberg  (EPA  OIG); 
Roberta  Baskin,  Steven  Hernandez,  Janna  Raudenbush,  and  Elise  Stein  (HHS  OIG);  Richard 
N.  Reback,  Louise  McGlathery,  Jennifer  Kim,  and  Rene  Lee  (DHS  OIG);  Colleen  Kane  (HUD 
OIG);  Sabrina  Segal  (ITC  OIG);  Tim  Cross  (NSF  OIG);  Mario  Jimenez  (ED  OIG);  Renee 
Juhans  and  Frank  Mazurek  (NASA  OIG);  Epin  Christensen  (Smithsonian  OIG);  Sonya  Zacker 
(PBGC);  Jonathan  Lasher  (SSA  OIG);  David  Bames,  Alexis  Buckhannon,  and  Karen  Kraush- 
aar  (TIGTA);  Tara  Linne  (USPS  OIG);  and  Joanne  Moffett  (VA  OIG). 

49)  As  chair  of  the  CIGIE  Homeland  Security  Roundtable,  Acting  DHS  IG  Charles  K.  Edwards 
has  continued  to  lead  the  next  phase.  Yvonne  Manino  and  I  are  co-chairing  the  group.  Members 
of  the  legal  subgroup  include  Athena  Jones  (HUD  OIG);  Sonya  Khanzode  (NSF  OIG);  Steve 
Begg  (USPS  OIG);  Jon  Lasher  (SSA  OIG);  Alexis  Turner  (TIGTA);  Scott  Levine  (EPA  OIG); 
Joanne  Howard  (USDA  OIG);  and  Michael  Boehman  and  Preethi  Nand  (DOD  OIG).  Members 
of  the  information  security  subgroup  include  Patrick  Kelly  and  Steven  Hernandez  (HHS  OIG); 
Jaime  Vargas  (DOD  OIG);  Stacey  Lyon  and  Brandon  Williamson  (DOD  OIG);  Matthew  Bunko 
and  Theodore  Dykstra  (DOI  OIG);  and  Magali  Khalko  (LSC  OIG). 

50)  The  new  public  affairs  council  is  being  led  by  public  affairs  officials  from  HHS  OIG,  DOD 
OIG,  SSA  OIG  and  TIGTA. 
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CIGIE  report,  “Recommended  Practices  for  Office  of 
Inspectors  General  Use  of  New  Media”  (September 
2011).  She  currently  is  co-chairing  the  CIGIE  per¬ 
manent  standing  working  group  meetings. 

Eyl  began  her  legal  career  at  the  Special  Inspector 
General  for  Iraq  Reconstruction.  Since  becoming  an 
OIG  attorney,  Eyl  has  participated  on  OIG  panels 
for  the  American  Bar  Association,  the  Washington 
Foreign  Law  Society,  and  the  Association  of  Certified 
Fraud  Examiners.  She  also  has  provided  training  to 
the  OIG  and  ethics  communities.  Most  recently,  in 
September  2012,  Eyl  taught  the  Fourth  Amendment 
update  at  the  IG  Criminal  Investigator  Academy. 
In  December  2011,  the  Council  of  Counsels  to  the 
Inspectors  General  recognized  Eyl  for  outstanding 
contributions  to  the  inspector  general  community. 

Before  becoming  an  attorney,  Eyl  taught  Russian 
at  Indiana  University  Bloomington  and  Russian, 
German  and  the  literary  genre  of  autobiography 
at  Tulane  University.  As  an  academic,  she  received 
numerous  awards,  fellowships  and  scholarships, 
including  a  Fulbright  to  Ukraine,  an  award  for 
outstanding  achievement  by  Harvard  University’s 
Ukrainian  Summer  Institute,  and  grants  supporting 
independent  research  in  Germany,  Ukraine  and 
Eastern  Europe. 

Eyl  holds  a  Juris  Doctor  degree  from  Georgetown 
University  Law  Center  and  is  a  member  of  the 
Supreme  Court  and  New  York  State  bars.  Created 
without  a  mandate  a  few  years  ago,  the  CIGIE  New 
Media  Working  Group  grew  into  a  permanent 
standing  working  group. 


Visit  www.ignet.gov 


28 


Law  in  the  Shadows 


By  Michael  Davidson  and  Neal  Swartz 

Members  of  the  inspector  general  community  have 
been  involved  in  undercover  operations  either  un¬ 
der  their  own  investigative  authority,  as  part  of  a 
joint  operation  with  other  law  enforcement  agen¬ 
cies  or  in  an  oversight  role  reviewing  the  activi¬ 
ties  of  their  parent  agency  In  a  recent  Semiannual 
Report  to  Congress,  for  example,  the  Department 
of  Defense  IG  reported  that  the  Defense  Criminal 
Investigative  Service  had  taken  part  in  16  under¬ 
cover  operations,  partnering  with  Immigration  and 
Customs  Enforcement,  the  FBI,  the  Department  of 
Commerce  and  the  Naval  Criminal  Investigative 
Service.1  Similarly,  the  Office  of  Treasury  Inspec¬ 
tor  General  for  Tax  Administration  recently  issued 
a  publicly  available  report  concerning  Internal 
Revenue  Service  undercover  operations.2  Further, 
many  agencies  pay  for  information  and  evidence 
using  such  vehicles  as  confidential  informants  and 
rewards. 

Despite  the  covert  nature  of  these  operations, 
there  have  been  a  significant  number  of  legal  opin¬ 
ions  rendered  concerning  the  application  of  appro¬ 
priations  and  contract  laws  in  the  context  of  under¬ 
cover  operations  and  the  purchase  of  information 
and  evidence.  As  a  rule,  both  the  courts  and  vari¬ 
ous  governmental  bodies  have  afforded  agencies  an 
extraordinary  amount  of  leeway.  Federal  criminal 
investigators,  investigative  staff  and  counsel,  work¬ 
ing  as  a  team,  may  take  advantage  of  significant  le¬ 
gal  tools  afforded  to  them  through  the  innovative 
use  of  various  principles  of  appropriations  and  pro¬ 
curement  law,  including  broad  legal  interpretations 
of  what  is  considered  a  necessary  expense  of  an 
operation  when  a  federal  investigative  agency  acts 
in  an  undercover  capacity.  Unfortunately,  there  has 
been  no  scholarly  treatment  of  this  topic  and  little 

1)  Inspector  General,  U.S.  Department  of  Defense,  Semiannual  Report  to  the  Congress,  Oct. 

1,  2010-March  31, 2011,  at  53. 

2)  TIGTA,  Criminal  Investigation  Can  Take  Steps  to  Strengthen  Oversight  of  its  Undercover 
Operations  (Feb.  3,  2012). 


guidance  is  publicly  available  to  the  Office  of  In¬ 
spectors  General  community  concerning  applica¬ 
tion  of  appropriations  and  procurement  law  in  an 
undercover  context.  This  article  endeavors  to  par¬ 
tially  fill  that  gap  by  discussing  some  of  the  issues 
commonly  arising  in  this  area. 

RETAINING  MONEY  AND  THE 
MISCELLANEOUS  RECEIPTS  STATUTE 
One  reoccurring  issue  in  undercover  operations  is 
the  agency’s  authority  to  retain  money  that  it  re¬ 
ceives  during  such  operations.  Generally,  all  money 
received  by  or  for  the  United  States,  regardless  of 
source,  must  be  returned  to  the  Treasury  Depart¬ 
ment.  This  requirement  is  codified  in  the  Miscella¬ 
neous  Receipts  Statute,  31  U.S.C.  §  3302(b),  which 
provides  that:  “An  official  or  agent  of  the  govern¬ 
ment  receiving  money  for  the  government  from 
any  source  shall  deposit  the  money  in  the  Treasury 
as  soon  as  practicable  without  deduction  for  any 
charge  or  claim.” 

The  MRS  mandate  does  not  apply,  however, 
when  specific  statutory  authority  exists  for  an  agen¬ 
cy  to  retain  money.  Several  agencies  possess  spe¬ 
cific  statutory  authority  to  keep  and  use  proceeds 
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from  undercover  operations,  including  the  FBI,  the 
Drug  Enforcement  Administration,  the  Bureau  of 
Alcohol,  Tobacco,  Firearms  and  Explosives,  ICE, 
and  the  IRS.3 

Additionally,  in  at  least  one  case,  the  Govern¬ 
ment  Accountability  Office  determined  that  mon¬ 
ey  received  during  an  undercover  operation  was 
not  the  type  of  money  falling  within  the  scope  of 
the  MRS.  In  Family  Lines  Rail  System-Return  of 
Funds,  B-20590  (Comp.  Gen.  May  19,  1982),  a  rail¬ 
road  company  assisting  an  FBI  undercover  opera¬ 
tion  investigating  theft  of  diesel  fuel,  provided  fuel 
to  the  FBI  with  the  understanding  that  at  the  end  of 
the  investigation  any  unused  fuel  or  money  gener¬ 
ated  from  sale  of  the  fuel  would  be  returned  to  the 
railroad.  After  the  sale  of  fuel,  the  FBI  initially  re¬ 
tained  the  proceeds  of  sale  as  evidence,  but  wished 
to  return  the  money  to  the  railroad  at  the  end  of  the 
investigation.  GAO  reviewed  the  language  of  the 
MRS’  predecessor  statute,  31  U.S.C.  §  484,  and  con¬ 
cluded  that  the  funds  were  not  the  type  of  money 
contemplated  by  the  statute.  Although  there  are  dif¬ 
ferences  between  the  wording  of  sections  484  and 
3302(b),  the  GAO  continues  to  cite  this  decision  for 
the  position  that  “this  is  not  the  kind  of  receipt  con¬ 
templated  by  3 1  U.S.C.  §  3302(b).”4 


“When  the  primary  (or  so  he)  6enefit 
of  the  operation  resides  heavihy 
with  a  sing  he  haw  enforcement 
agency ,  that  entity  may  stihh o6tain 
the  services  of  other  agencies 
through  reim6ursa6he  agreements.  ” 

Absent  statutory  authority  to  retain  money, 
agencies  involved  in  undercover  operations  must 
generally  deposit  money  received  during  these  op¬ 
erations  into  the  Treasury  as  miscellaneous  receipts, 
but  strict  temporal  application  of  the  MRS  may  be 
impractical.  In  Requirement  to  Deposit  Receipts 
from  IRS  Undercover  Operations  into  the  Trea¬ 

3)  U.S.  General  Accountability  Office,  II  Principles  of  Federal  Appropriations  Law  6-21 3 
n.1 85  (3rd  ed.  January  2004)  [hereafter  GAO  Red  Book]. 

4)  GAO  Red  Book,  at  6-182. 


sury,  B-229631,  67  (Comp.  Gen.  353,  354  March 
23,  1988),  for  example,  GAO  recognized  that  “re¬ 
quiring  deposits  of  money  accrued  during  an  un¬ 
dercover  operation,”  such  as  gambling  winnings 
or  money  generated  by  undercover  businesses,  “as 
soon  as  it  is  received  may  be  impracticable  within 
the  meaning  of  [the  MRS]  in  that  it  may  jeopardize 
the  success  of  the  investigation.”  GAO  determined 
that  the  IRS  could  treat  short-term  operations  as  a 
single  transaction  for  MRS  purposes. 


JOINT  OPERATIONS 

As  noted  in  the  opening  paragraph,  agencies  often¬ 
times  engage  in  joint  operations.  This  may  reduce 
operational  costs,  and  it  allows  for  the  sharing  of 
information,  expertise,  assets  and  equipment.  Un¬ 
fortunately,  GAO  has  provided  little  guidance  about 
joint  funding  of  law  enforcement  operations.5  As¬ 
suming  the  normal  rules  of  obligation  and  expen¬ 
diture  apply,  each  participating  agency  must  sat¬ 
isfy  the  basic  fiscal  limitations  (purpose,  time,  and 
amount)  of  its  own  appropriations  to  participate  in 
the  joint  operation. 

In  addition,  each  participating  agency  should 
be  able  to  contribute  proportionally  to  the  opera¬ 
tion  considering  the  benefit  to  each  agency  with¬ 
out  improperly  augmenting  the  appropriations  of 
another  participating  agency.  Further,  no  prohi¬ 
bition  appears  to  exist  on  the  contribution  to  the 
mutually-benefiting  operation  being  a  combination 
of  funds,  equipment  or  investigative  assets. 

When  the  primary  (or  sole)  benefit  of  the  oper¬ 
ation  resides  heavily  with  a  single  law  enforcement 
agency,  that  entity  may  still  obtain  the  services  of 


5)  See  generally  Interagency  Funding,  15  GAO-RB  pt  A,  s.3,  2008  WL  6969351  (G.A.O., 
September  2008,  March  2011  Update). 
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other  agencies  through  reimbursable  agreements. 
For  example,  it  is  well  established  that  one  agency 
may  obtain  the  services  of  an  employee  of  another 
agency  through  a  reimbursable  detail  under  the  au¬ 
thority  of  the  Economy  Act.6  Indeed,  the  Economy 
Act  provides  broad  authority  for  one  agency  to  pur¬ 
chase  services  (and  goods)  from  another.7 

INSURANCE 

The  government  follows  a  policy  of  insuring  its 
own  risk  of  loss  or  damage  to  government  prop¬ 
erty  and  for  the  liability  of  government  employ¬ 
ees  under  circumstances  when  the  United  States 
is  responsible  for  their  actions  (e.g.,  tort  claims). 
Accordingly,  in  the  absence  of  express  statutory 
authorization,  an  agency  may  not  use  appropri¬ 
ated  funds  to  “purchase  insurance  to  cover  loss  or 
damage  to  government  property  or  the  liability  of 
government  employees.”8  However,  on  at  least  one 
occasion,  GAO  determined  the  normal  prohibition 
against  insurance  purchase  did  not  apply  and  such 
purchases  were  necessary  expenses  of  the  agency, 
when  the  agency  involved  in  an  undercover  opera¬ 
tion  required  insurance  to  maintain  the  cover  of  an 
undercover  proprietary  business. 

In  FBI  Insurance  From  Private  Firms  In  Un¬ 
dercover  Operations,  B-204486  (Comp.  Gen.  Jan. 
19, 1982),  GAO  determined  the  FBI  could  purchase 
insurance  during  its  undercover  operations  if  the 
agency  determined  such  expenses  were  necessary 
for  the  success  of  the  operation  or  to  protect  the 
safety  of  its  undercover  agents.  GAO  noted  the  FBI 
was  not  seeking  to  purchase  insurance  to  protect 
itself  from  financial  loss,  which  would  run  afoul  of 
the  self-insurance  policy,  but  rather  the  FBI  believed 
purchase  of  insurance  was  necessary  to  maintain 
the  cover  of  its  front  corporations,  facilitating  their 
appearance  as  a  normal  business  enterprise.9  In  the 
event  of  an  accident,  auto  insurance  may  be  a  pru¬ 
dent  investment  to  avoid  having  to  go  overt  with 
local  law  enforcement  entities,  private  counsel  for 
injured  parties  and  insurance  companies.  Absent 
private  insurance,  any  claims  for  injuries  or  prop¬ 
erty  damage  caused  by  an  undercover  agent  would 
likely  be  treated  as  a  claim  under  the  Federal  Tort 
Claims  Act,  28  U.S.C.  §§  1346(b),  2671-2680. 


6)  Inspector  Gen.,  Library  of  Congress,  B-247348, 1992  WL  152986,  at  *9  n.3  (Comp.  Gen. 
June  22, 1992). 

7)  31  U.S.C.  §  1535(a). 

8)  GAO  Red  Book,  at  4-176. 

9)  Id.  at  2. 


LOSING  MONEY 

GAO  has  been  very  forgiving  when  an  agency  loses 
control  of  funds  during  an  undercover  operation. 
Agents  may  need  large  amounts  of  cash  to  establish 
their  credibility  with  the  object  of  an  investigation. 
Frequently  referred  to  as  a  “flash  roll,”  the  money 
may  be  used  to  purchase  drugs,  counterfeit  cur¬ 
rency  or  products,  illegal  firearms  or  other  types  of 
contraband,  or  as  a  gambling  stake. 

“CjjAO  determined  the  ddd  coutd 
purchase  insurance  during  its 
undercover  operations  if  the  agency 
determined  such  expenses  were 
necessary  for  the  success  of  the 
operation  or  to  protect  the  safety 
of  its  undercover  agents.  ” 


In  some  circumstances,  an  agent  advanced  cash 
for  use  in  an  operation  maybe  held  accountable  for 
its  loss.  Generally,  if  the  money  is  lost  under  cir¬ 
cumstances  considered  an  inherent  risk  of  the  op¬ 
eration,  such  as  a  suspect  fleeing  with  the  money 
or  robbing  the  agent,  the  agent  will  not  be  held  ac¬ 
countable  for  the  loss,  and  the  money  will  simply 
be  charged  against  the  financing  appropriation  as 
a  necessary  expense  of  the  operation.  If  the  agent’s 
negligence  is  responsible  for  the  loss,  however,  he/ 
she  may  be  held  accountable.10  For  example,  in  Mr. 
Paul  R.  Gentile,  financial  manager,  Bureau  of  Al¬ 
cohol,  Tobacco  and  Firearms,  B-232253  (Comp. 
Gen.  Aug.  12,  1988),  an  ATF  agent  advanced  $900 
to  a  confidential  informant  to  rent  an  apartment 
as  part  of  an  undercover  operation.  Instead,  the  Cl 
fled  with  the  rent  money.  Because  the  agent  was 
not  negligent,  GAO  determined  that  the  loss  could 
simply  be  treated  as  an  operating  expense.  In  con¬ 
trast,  in  Carole  J.  Dineen,  fiscal  assistant  secretary, 
Department  of  the  Treasury,  B-214718  64  (Comp. 
Gen.  140  Dec.  14,  1984),  GAO  denied  relief  to  a 
Secret  Service  agent,  whose  shoulder  bag  was  sto- 

10)  Funds  To  Which  Accountability  Attaches,  9  GAO-RB  pt.  B,  s.3(a)(2),  2006  WL  6179214, 
at  *3-4  (G.A.O.,  February  2006;  March  2011  update). 
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len  containing  $1,000  to  be  used  to  purchase  coun¬ 
terfeit  U.S.  currency.  While  in  a  crowded  airport 
in  Columbia,  the  agent  put  his  bag  on  a  counter  to 
make  travel  arrangements  and  then  noticed  after 
approximately  five  minutes  that  the  bag  was  gone. 
GAO  determined  that  the  agent  had  been  careless 
with  the  funds  and  his  negligence  was  responsible 
for  the  loss. 

PURCHASING  INFORMATION  AND 
EVIDENCE 

The  concept  of  investigative  agencies  using  ap¬ 
propriated  funds  to  purchase  evidence  and  infor¬ 
mation  from  confidential  informants  has  been  a 
firmly  rooted  principle  of  appropriations  law  since 
at  least  1951.  The  comptroller  general  held  that  the 
former  Customs  Services  could  fund  the  purchase 
of  information  and  evidence  from  its  appropriation 
available  for  the  Customs  Services’  law  enforce¬ 
ment  activities  without  requiring  a  specific  appro¬ 
priation  for  rewards  as  long  as  such  expenditures 
were  “administratively  determined  necessary  in 
the  enforcement  of  the  customs  .  .  .  and  narcotics 
laws.”  See  The  Honorable  Secretary  of  the  Treasury, 
B- 106230  (Comp.  Gen.  Nov.  30,  1951)  (reviewing 
the  law  enforcement  appropriations  of  the  Customs 
Service  and  the  IRS).  The  general  rule  that  emerges 
is  that  the  use  of  appropriations  for  payments  for 
information  concerning  violations  of  those  laws 
administered  by  an  agency  is  generally  considered 
a  necessary  expense  of  the  appropriations  that  are 
available  for  the  enforcement  of  those  same  laws. 
See  e.g.,  Cash  Prize  Drawing  by  National  Oceanic 
and  Atmospheric  Administration,  70  Comp.  Gen. 
720,  721-22  (1991).  For  most  agencies  involved  in 
undercover  operations  or  other  law  enforcement 
operations,  there  are  multiple  funding  sources  for 
the  purchase  of  information  and/or  evidence.  Some 
agencies  receive  annual  appropriations  that  include 
money  specifically  intended  for  the  payment  of  in¬ 
formation.  Congress,  however,  oftentimes  places 
a  cap  within  an  agency’s  appropriations  act  on  the 
amount  of  such  funds  available  for  this  purpose. 
Where  an  agency  receives  an  appropriation  provid¬ 
ing  for  the  purchase  of  information  or  evidence, 
but  where  that  appropriation  is  capped,  an  inter¬ 
esting  question  arises  about  whether  any  specific 
purchase  of  evidence  falls  within  that  limited  ap¬ 
propriation  or  whether  the  investigative  agency’s 
necessary  expense  authority  (e.g.,  B- 106230)  con¬ 


trols.  Such  a  question  normally  will  be  resolved  by 
reference  to  which  appropriation  is  more  specific 
for  the  expense  in  question. 

Agencies  with  statutory  authority  to  retain  pro¬ 
ceeds  generated  during  an  operation  (aka  churned 
funds)  also  may  possess  the  authority  to  use  such 
funds  to  purchase  information  and  evidence  as  a 
necessary  operational  expense.  In  addition,  both 
the  Department  of  Justice  Asset  Forfeiture  Fund, 
28  U.S.C.  §  524(c),  and  the  Treasury  Asset  Forfei¬ 
ture  Fund,  31  U.S.C.  §  9703,  may  serve  as  a  funding 
source  to  purchase  information. 

Agencies  may  be  authorized  to  spend  appro¬ 
priated  funds  on  rewards  to  informants  or  other 
sources  of  information  through  specific  statutory 
grants  of  authority.  Agencies  with  specific  statutory 
authority  to  pay  rewards  include  the  Department  of 
State,  22  U.S.C.  §  2708,  the  Secret  Service,  18  U.S.C. 
§  3056,  the  IRS,  26  U.S.C.  §  7623,  the  Department 
of  Justice,  18  U.S.C.  §§  3071-72  and  28  U.S.C. 
§  530C(b)(l)(L),  the  Postal  Service,  39  U.S.C.  § 
404(a)(7),  and  ICE  using  the  former  Customs  Ser¬ 
vice’s  moiety  authority,  19  U.S.C.  §  1619. 

If  an  agency  lacks  specific  statutory  authority 
to  pay  rewards,  then  it  may  only  do  so  “if  the  in¬ 
formation  is  essential  or  necessary’  to  the  effective 
administration  and  enforcement  of  the  laws”  (ad¬ 
ministered  by  that  agency)  and  the  reward  money 
comes  from  an  appropriate  funding  source,  consid¬ 
ering  the  agency’s  organic  authority  and  the  lan¬ 
guage  of  its  appropriations  act.  Information  that 
is  merely  “helpful  or  desirable”  does  not  justify  re¬ 
ward  money.11 

In  Internal  Revenue  Service  “Informant/Wit¬ 
ness”  Expenditures,  B- 183922  (Comp.  Gen.  Aug.  5, 
1975),  GAO  determined  that  the  IRS’  general  ap- 


11)  GAO  Redbook  at  4-276  -  278. 
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propriation  was  available  to  support  and  maintain 
an  informant/witness  as  a  necessary  expense  of  its 
investigation  until  such  time  as  a  more  specific  ap¬ 
propriation  became  applicable  (i.e.,  DOJ  Witness 
protection  Program).  As  discussed  below,  there 
have  been  a  surprising  number  of  cases  seeking  re¬ 
wards  or  enhanced  rewards  by  informants. 

INFORMANT  LAWSUITS  SEEKING 
COMPENSATION  FROM  THE  GOVERNMENT 
A  surprisingly  large  number  of  cases  exist  discuss¬ 
ing  attempts  to  sue  the  United  States,  seeking  com¬ 
pensation  for  information  or  services  provided  to 
law  enforcement  agents.  The  bulk  of  the  cases  are 
brought  under  the  Tucker  Act,  relying  on  either  an 
implied-in-fact  theory  of  recovery  or  alleging  a  vio¬ 
lation  of  a  money- mandating  law  or  regulation. 

The  Tucker  Act  provides  jurisdiction  to  the 
U.S.  Court  of  Federal  Claims  to  “render  judgment 
upon  any  claim  against  the  United  States  founded 
.  .  .  upon  any  express  or  implied  contract  with  the 
United  States.”  28  U.S.C.  §  1491(a)(1).  If  the  amount 
of  money  sought  is  less  than  $10,000,  a  federal  dis¬ 
trict  court  also  has  jurisdiction.  28  U.S.C.  §  1346(a) 
(2). 

However,  establishing  Tucker  Act  jurisdiction 
by  itself  is  insufficient  to  obtain  damages  from  the 
United  States.  The  Tucker  Act  is  only  a  waiver  of 
sovereign  immunity  that  allows  a  court  to  hear  and 
decide  a  case;  it  does  not  provide  a  substantive  right 
to  damages  against  the  United  States.  To  obtain 
damages,  the  plaintiff  must  either  establish  a  breach 
of  an  express  or  implied  contract  with  the  United 
States,  or  bring  a  claim  based  on  the  violation  of  a 
law  or  regulation  that  mandates  compensation  for 
its  violation. 

In  most  cases  brought  on  an  express  or  im- 
plied-in-fact  contract  theory,  informants  frequent¬ 
ly  lose  because  the  field  agents  who  allegedly  prom¬ 
ised  money  for  information  or  cooperation  lacked 
the  authority  to  bind  the  United  States  contractu¬ 
ally.  To  illustrate,  in  Roy  v.  United  States,  38  Fed. 
Cl.  184  (Fed.  Cl.  1997),  a  confidential  informant, 
who  agreed  to  work  for  the  FBI  in  a  highly  success¬ 
ful  bookmaking/money  laundering  sting  opera¬ 
tion  targeting  drug  rings  in  the  Philadelphia  area, 
received  a  significant  sentence  reduction  as  well  as 
more  than  $180,000  in  compensation.  Subsequent¬ 
ly,  Roy  filed  suit  seeking  as  much  as  25  percent  of 
all  money  and  assets  seized  because  of  his  contribu- 


“J {owever,  esta6Cisfiing  Tucker Jflct 
jurisdiction  by  itsef  is  insufficient 
to  o  6  tain  damages  from  the 
"United States.  ” 

tions  to  the  sting  operation,  basing  his  entitlement 
on  an  alleged  oral  contract  with  FBI  special  agents 

Treating  the  lawsuit  as  one  brought  under  the 
Tucker  Act,  the  court  noted  that  Roy  had  to  estab¬ 
lish  the  traditional  elements  of  a  contract — mutual 
intent  to  be  bound,  offer,  acceptance  and  consider¬ 
ation — as  well  as  the  actual  authority  of  a  govern¬ 
ment  representative  to  bind  the  United  States  con¬ 
tractually.  The  court  determined  that  the  FBI  agents 
lacked  any  actual  authority  to  create  an  enforceable 
contract  with  an  informant,  that  supervisory  agents 
who  may  have  possessed  such  authority  never  ex¬ 
ercised  it  and  that  the  special  agents  lacked  “im¬ 
plied”  actual  authority  because  contracting  author¬ 
ity  was  not  an  integral  part  of  FBI  agents’  duties, 
even  when  working  with  confidential  informants. 
When  an  agent  or  other  law  enforcement  official  is 
authorized  to  contract  with  an  informant,  however, 
the  courts  will  enforce  the  terms  of  any  such  agree¬ 
ment.  See  Forman  v.  United  States,  61  Fed.  Cl.  665 
(2004) 

In  addition,  there  has  been  quite  a  bit  of  litiga¬ 
tion  in  cases  involving  rewards,  particularly  cases 
involving  the  IRS  reward  program.  A  key  issue  in 
these  cases  has  been  whether  the  terms  of  an  al¬ 
leged  contract,  in  particular  the  amount  of  reward, 
are  too  ambiguous  to  be  enforceable. 

In  Golding  v.  United  States,  98  Fed.  Cl.  470 
(2011),  an  informant  unsuccessfully  alleged  that 
the  U.S.  Postal  Service  breached  an  implied-in-fact 
contract  for  a  reward  to  pay  for  information  and 
services  provided  during  a  government  investiga¬ 
tion.  Postal  Service  posters  offered  rewards  for 
certain  amounts,  based  on  specific  offenses,  “for 
information  and  services  leading  to  the  arrest  and 
conviction  of  any  person  for  the  .  .  .  offenses.”  Fur¬ 
ther,  the  posters  stated,  “The  amount  of  any  reward 
will  be  based  on  the  significance  of  services  ren¬ 
dered,  character  of  the  offender,  risks  and  hazards 
involved,  time  spent  and  expenses  incurred.” 
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“...the government  may  ahso  6e 
required  to  notify  the  informant 
that  any  eventuah moiety  award 
may  6e  offset  6y  prior  payments for 
information  of  evidence.  ” 


Reviewing  analogous  IRS  reward  cases,  the 
court  opined  that  for  the  complaint  to  survive  a 
motion  to  dismiss,  plaintiff  had  to  allege  that  the 
agency  somehow  fixed  the  amount  for  the  reward 
or  agreed  to  pay  a  specific  sum.  The  terms  of  the 
alleged  contract,  the  court  determined,  did  not 
“mandate  an  award  in  every  instance”  and  were 
“too  indefinite  for  contract  formation  unless  and 
until  specific  reward  amounts  are  negotiated  and 
fixed  with  appropriate,  government  officials.”12 

The  courts  have  also  addressed  attempts  to 
sue  the  United  States  for  compensation  based  on 
a  violation  of  a  money-mandating  law  or  regula¬ 
tion.  For  example,  courts  have  determined  that 
Moiety  19  U.S.C.  §  1619,  is  money  mandating,  but 
the  statute  creating  DOJ’s  Asset  Forfeiture  Fund, 
28  U.S.C.524(c)(l)(B),  and  the  Reward  statute,  18 
U.S.C.  §  3071,  are  not.  Perri  v.  United  States,  340 
F.3d  1337  (Fed.  Cir.  2003)  (DOJ  Asset  Forfeiture, 
moeity);  Fleming  v.  United  States,  413  F.  Supp.2d 
503  (E.D.  Pa.  2005)  (Reward  statute). 

The  moiety  statute  provides  that  the  secretary 
of  the  treasury,  now  DHS,  may  pay  an  award  to  any 
person,  not  a  federal  employee,  who  (1)  detects, 
seizes  and  reports  the  seizure  of  certain  items  sub¬ 
ject  to  seizure  and  forfeiture  under  customs  or  nav¬ 
igation  laws  or  (2)  furnishes  original  information 
to  a  U.S.  Attorney,  the  secretary  of  the  treasury  or 
a  customs  officer  concerning  “fraud  upon  customs 
revenue”  or  a  violation  of  customs  or  navigation 
laws;  that  results  in  a  recovery  of  duties  withheld, 
fines,  penalties  or  forfeited  property.  19  U.S.C.  § 
1619(a).  The  secretary  may  also  provide  an  award 
to  any  otherwise  eligible  person  when  the  forfeited 
property  is  not  sold,  but  instead  is  destroyed  or  giv¬ 
en  to  a  government  agency  for  official  use.13 

Significantly,  the  regulations  implementing 
that  statute  require  the  customs  officer  receiving 


12)  d.  at  484. 

13)  Id.  §  1619(b). 


information  to  notify  the  informant  “that,  in  the 
event  of  a  recovery,  he  may  be  entitled  to  compen¬ 
sation.”  19  C.F.R.  §  161.14.  Depending  upon  the 
specific  agreement  between  the  government  and 
informant,  the  government  may  also  be  required 
to  notify  the  informant  that  any  eventual  moiety 
award  may  be  offset  by  prior  payments  for  infor¬ 
mation  of  evidence.14 

Despite  permissive  statutory  language  stating 
the  secretary  “may”  pay  an  award,  in  Doe  v.  United 
States,  100  F.3d  1576, 1582  (Fed.  Cir.  1996),  the  U.S. 
Court  of  Appeals  for  the  Federal  Circuit  examined 
the  legislative  history  of  the  statute  and  held  that 
it  mandated  payment  of  some  amount  of  an  award 
when  the  statutory  conditions  for  award  eligibil¬ 
ity  were  met.  To  recover  under  the  moiety  statute, 
however,  a  plaintiff  must  also  establish  the  statu¬ 
tory  prerequisites  to  recovery:  that  he/she  “pro¬ 
vided  original  information  involving  violations  of 
the  customs  or  navigation  laws  that  has  led  to  the 
recovery  of  a  fine,  penalty  or  property.”  In  addition, 
the  government  enjoys  great  discretion  in  deter¬ 
mining  the  amount  of  award,  as  much  as  25  percent 
per  case  of  any  related  recovery  or  unsold  forfeited 
property.  19  U.S.C.  §§  1619(a), (b),(c). 

CONCLUSION 

Some  federal  investigative  agencies  have  specific 
statutory  authority  excepting  their  undercover 
operations  from  legal  principles  that,  while  neces¬ 
sary  for  normal  agency  operations,  interfere  with 
the  practical  needs  of  an  undercover  investigative 
capacity.  Even  without  specific  statutory  authority, 
most  investigative  agencies  may  take  advantage  of 
expansive  legal  interpretations  of  what  is  a  “nec¬ 
essary”  expense  of  an  agency  appropriation  when 
maintaining  the  covert  nature  of  an  operation, 
developing  and  protecting  a  source  or  gathering 
information  and  evidence.  The  authority  to  retain 
money  earned  in  investigative  operations  and  the 
authority  to  purchase  insurance,  for  example,  al¬ 
low  a  federal  investigative  team  to  look  and  act  like 
a  private  sector  enterprise.  Further,  the  authority 
to  purchase  necessary  information  and  evidence 
through  advertised  rewards  is  often  crucial  to  ob¬ 
taining  information  to  investigate  a  crime.  Finally, 
the  ability  of  investigative  agents  to  develop  and 
pay  informants  without  obligating  the  government 


14)  Id. 
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contractually  advances  the  needs  of  an  investigation 
while  protecting  an  agency’s  funding  from  future 
spurious  claims.  As  investigators,  advisors  or  when 
acting  in  an  oversight  role,  the  OIG  community 
should  be  familiar  with  these  legal  authorities,  so 
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Botnet  Investigations:  An  Inspector 
General  Perspective 


By  Sean  Zadig 

Deep  within  the  heart  of  the  agency,  late  at  night  af¬ 
ter  the  employees  have  all  gone  home,  desktop  and 
laptop  computers  awaken  and  begin  to  work.  All 
across  the  country,  in  agency  offices  and  employ¬ 
ee  homes,  these  computers  begin  to  process  data 
and  execute  commands.  But  instead  of  perform¬ 
ing  tasks  for  the  workers  who  usually  tap  at  their 
keyboards,  the  computers  are  serving  a  different 
master,  half  a  world  away.  They  have  been  forced  to 
join  a  botnet  (robot  network),  and  are  stealing  sen¬ 
sitive  data,  conducting  attacks  on  other  computers 
and  are  enriching  their  new  masters,  all  without 
the  knowledge  of  the  agency’s  users  or  information 
technology  staff.  In  fact,  the  infected  computers  are 
now  under  the  complete  control  of  the  hot  masters 
and  can  perform  their  every  bidding. 

While  it  may  sound  like  a  plot  to  a  zombie  hor¬ 
ror  movie,  millions  of  computer  systems  worldwide 
have  been  infected  with  malicious  software  (mal¬ 
ware),  have  been  enslaved  into  botnets — including 
computer  systems  owned  and  operated  by  the  U.S. 
government — and  are  under  the  control  of  crimi¬ 
nals.  Vint  Cerf,  one  of  the  original  inventors  of  the 
Internet,  estimated  that  perhaps  one  in  four  com¬ 
puters  on  the  Internet  are  a  part  of  a  botnet,1  indi¬ 
cating  they  are  extremely  pervasive.  This  new  men¬ 
ace  provides  fresh  challenges  to  inspector  general 
cybercrime  investigators  who  seek  to  keep  their 
agencies  free  from  computer-based  criminal  activ¬ 
ity.  This  article  will  describe  the  types  of  botnets  in 
modern  use  and  how  IGs  are  uniquely  qualified  to 
investigate  these  crimes,  and  it  will  discuss  a  cur¬ 
rent  example  as  a  case  study. 

TYPES  OF  BOTNETS 

There  are  many  different  varieties  of  botnets  in  use 
today,  each  with  their  own  criminal  purposes  and 

1)  Tim  Weber,  “Criminals  ‘may  overwhelm  the  Web,’”  BBC  News.  January  25,  2007,  accessed 
Oct.  3,  2010,  http://news.bbc.co.Uk/2/hi/business/6298641.stm. 


unique  threats  to  agency  systems.  The  table  below, 
adapted  from  the  author’s  previous  work  ,2  provides 
a  typology  that  will  guide  the  discussion  in  this  ar¬ 
ticle.  As  we  will  see,  most  botnets  are  created  and 
maintained  for  financial  gain,  in  that  they  exist  to 
FIGURE  1.  COMMON  BOTNET  TYPES 


Botnet 

Type 

Purpose 

Example 

Botnet 

Spam 

Informa¬ 

tion 

stealing 

Delivering  unsolicited 
e-mail 

Stealing  login 
credentials  to  banks 
and  websites,  or 
intercepting  credit 
card  numbers 

Storm  Worm 
Zeus 

DDoS 

Denial  of  service 
attacks  against 
websites  or  servers 

BlackEnergy 

Dropper 

Intelli¬ 

gence 

gathering, 

cyberwar- 

fare 

Click  fraud 

Installing  other  types 
of  malware 

Allegedly  state-spon¬ 
sored  surveillance  or 
destruction  to  further 
political  means 
Fraudulent  clicks 
upon  online  adver¬ 
tisements 

Bredolab 

Ghostnet, 

StuxNet 

Other 

Illegal  web  hosting, 
proxies 

Bahama, 

DNSChanger 

Avalanche, 

Koobface 

2)  Sean  M.  Zadig  and  Gurvirender  Tejay,  “Emerging  cybercrime  trends:  Legal,  ethical,  and 
practical  issues.”  In  Investigating  cyber  law  and  cyber  ethics:  Issues,  impacts,  and  practices, 
ed.  Alfreda  Dudley,  James  Braman,  and  Giovanni  Vincenti,  (Hershey,  PA:  IGI  Global). 
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enrich  the  criminals  by  abusing  the  computing  and 
network  resources  of  the  infected  systems.  Unfor¬ 
tunately,  the  malware  for  many  of  these  botnets  can 
be  purchased  in  underground  forums,  are  sold  as 
“kits”  and  often  come  with  technical  support  from 
their  developers,  making  the  barrier  to  entry  for  as¬ 
piring  bot  masters  relatively  low. 

The  oldest  types  of  botnets  are  those  that  ex¬ 
ist  to  send  spam,  and  botnets  are  responsible  for 
the  majority  of  the  spam  that  ends  up  in  inboxes 
today.3  One  infected  computer  can  send  spam  to 
thousands  of  recipients  in  a  single  day.  Spam  can 
be  a  profitable  enterprise  for  the  bot  masters  and 
is  used  for  a  number  of  illegal  purposes  to  pro¬ 
mote  products,  such  as  counterfeit  pharmaceuti¬ 
cals  and  counterfeit  designer  goods;  to  send  email 
lures,  (also  known  as  “phishing”  emails),  that  ask 
recipients  to  enter  their  email  account  or  bank  ac¬ 
count  credentials  for  future  use  by  criminals;  and  to 
engage  in  stock  market  manipulation  by  pumping 
penny  stocks  that  are  later  dumped  at  a  profit  or  to 
simply  spread  other  viruses  and  malware  by  entic¬ 
ing  recipients  to  click  on  fraudulent  links  or  open 
tainted  documents,  thereby  infecting  themselves. 
Spam  botnets  in  themselves  do  not  pose  great  risk 
to  agency  systems;  however,  they  can  be  a  foothold 
for  other  types  of  malware,  and  IT  staffers  expend 
considerable  resources  remediating  infected  com¬ 
puter  systems. 

“(government  agencies  have  come 
under  frequent  attach^in  recent 
years  as  part  of  demonstrations 
tinned  to  the  hacher  movement 
hnown  as  Anonymous...  ” 

A  different  type  of  botnet  that  does  have  more 
inherent  risk  to  government  computers  is  the  mal¬ 
ware  associated  with  “information  stealing”  bot¬ 
nets.  Computers  infected  with  this  type  of  malware 
essentially  act  as  miniature  wiretaps  and  intercept 
victims’  keystrokes  and  capture  documents.  When 


3)  Jim  Carr,  “TRACE:  Six  botnets  generate  85  percent  of  spam.”  SC  Magazine ,  March  4,  2008, 
accessed  Oct.  15, 2010,  http://www.scmagazineus.com/trace-six-botnets-generate-85-per- 
cent-of-spam/article/107603/. 


users  type  sensitive  information  on  their  key¬ 
boards,  such  as  login  credentials  to  agency  systems 
or  passwords  to  banks  or  financial  systems,  the  in¬ 
formation  is  sent  to  the  bot  masters,  who  can  use 
it  as  they  please.  More  advanced  malware,  includ¬ 
ing  one  botnet  generally  referred  to  as  “Zeus,”  can 
even  use  the  infected  victim  computers  as  a  proxy 
to  remotely  access  bank  accounts  and  quickly  wire 
out  the  contents.  The  impact  upon  government  sys¬ 
tems  is  clear:  intercepted  login  credentials  may  al¬ 
low  criminals  unfettered  access  to  sensitive  emails 
and  documents,  and  agency  employees  can  suffer 
great  personal  losses  if  their  identities  are  stolen  or 
bank  accounts  robbed.  In  fact,  the  Zeus  malware 
has  previously  drained  bank  accounts  associated 
with  local  governments,  clearly  demonstrating  the 
willingness  and  adaptability  of  the  criminals  to 
monetize  their  illicit  accesses  where  possible. 

Another  common  type  of  botnet  malware  is  as¬ 
sociated  with  distributed-denial-of-service  attacks. 
This  malware  turns  each  infected  bot  into  what  can 
be  thought  of  as  a  digital  missile  that  can  be  aimed 
at  other  computers,  websites  or  networks  on  the  In¬ 
ternet,  and  when  many  bots  attack  a  single  target, 
they  can  quickly  overwhelm  it  with  requests  and 
knock  it  offline.  Distributed-denial-of-service  at¬ 
tacks  can  affect  government  agencies  in  two  ways: 
the  agency’s  computers  can  be  used  to  execute  the 
attack  if  they  are  already  compromised  and  are  part 
of  a  botnet;  or  the  agency  may  itself  be  a  target  of 
an  attack.  Government  agencies  have  come  under 
frequent  attack  in  recent  years  as  part  of  demon¬ 
strations  linked  to  the  hacker  movement  known 
as  Anonymous,  although  distributed-denial-of- 
service  attacks  are  also  regularly  executed  for  illicit 
financial  reasons.  For  example,  small  businesses  are 
often  extorted  with  threats  of  attacks — a  very  real 
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threat  to  companies  that  depend  upon  the  Inter¬ 
net  for  their  livelihood.  One  common  distributed- 
denial-of-service  botnet  malware  kit  is  known  as 
“BlackEnergy”  and  can  be  purchased  for  as  little  as 
$40  on  underground  forums.4 

Yet  another  type  of  botnet  is  often  referred  to  as 
“loader”  or  “dropper”  malware,  and  it  exists  purely 
to  install  other  types  of  malware  for  a  price.  The  bot 
masters  can  build  up  botnets  of  thousands  of  in¬ 
fected  computers,  and  subsequently  charging  other 
cybercriminals  to  install  malware  so  they  can  build 
their  own  botnets.  This  has  given  rise  to  an  under¬ 
ground  economy,  known  as  “pay  per  install,”  where 
infected  computers  can  be  bought  and  sold  cheaply. 
Budding  bot  masters  need  only  pay  another  crimi¬ 
nal  to  do  the  hard  work  of  infecting  the  comput¬ 
ers  for  them  and  can  then  select  the  computers  that 
will  be  a  part  of  the  new  botnet.  For  example,  the 
bot  master  may  want  to  join  government  systems 
to  an  information  stealing  or  intelligence  gathering 
botnet  or  may  enlist  computers  with  fast  Internet 
connections  to  distributed-denial-of-service  or 
spam  botnets.  The  threat  of  this  type  of  malware  to 
agency  systems  is  clear,  as  espionage-minded  crim¬ 
inals  or  nation-state  actors  could  also  purchase  in¬ 
fected  computers  in  this  underground  market  for 
nefarious  uses. 

This  leads  into  the  next  type  of  botnet — intel¬ 
ligence  gathering  or  cyberwarfare.  A  malware  net¬ 
work  known  as  “Ghostnet,”  believed  by  industry 
experts  to  have  originated  in  China,  was  recently 
found  on  computer  systems  in  embassies  and  gov¬ 
ernments  around  the  world.  Based  on  press  report¬ 
ing,  the  “Stuxnet”  botnet  was  also  associated  with 
attacks  on  nuclear  facilities  in  Iran.  While  law  en- 


4)  Jose  Nazario,  “BlackEnergy  distributed-denial-of-service  bot  analysis,”  October  2007, 
Arbor  Networks  technical  report. 


forcement  options  in  the  face  of  state-sponsored 
botnets  can  be  limited,  investigators  need  to  be 
aware  of  this  type  of  botnet,  as  it  may  become  more 
prevalent  in  the  future. 

Online  advertising  is  a  multibillion-dollar  in¬ 
dustry  and  provides  much  of  the  revenue  that  pow¬ 
ers  popular  online  services  such  as  Google,  Face- 
book  and  others.  Consequently,  a  type  of  botnet 
that  is  becoming  more  and  more  common  is  as¬ 
sociated  with  an  activity  known  as  “click  fraud,”  a 
type  of  fraudulent  activity  designed  to  subvert  the 
online  advertising  industry.  It  often  operates  on  a 
“pay-per  click”  model;  each  click  on  an  advertise¬ 
ment  from  a  website  visitor  results  in  a  small  pay¬ 
ment  to  an  advertiser.  Infected  computers  in  the 
botnet  are  often  made  to  click  on  advertisements 
under  the  control  of  bot  masters,  often  by  hijack¬ 
ing  the  websites  that  the  victims  intended  to  visit, 
thereby  inflating  the  advertising  accounts  with 
fraudulent  clicks.  The  impact  to  agency  computers 
with  this  type  of  botnet  is  similar  to  those  associat¬ 
ed  with  spam  botnets — while  the  click  fraud  opera¬ 
tions  may  not  impact  agency  operations  directly, 
this  type  of  malware  can  be  expensive  to  remediate, 
and  as  the  agency  computers  are  under  the  control 
of  organized  cybercriminals,  may  introduce  other 
types  of  malware  onto  government  networks.  A  re¬ 
cent  click  fraud  investigation  will  be  used  as  a  case 
study  later  in  this  article. 

There  are  a  number  of  other  types  of  botnets 
in  existence.  For  example,  the  “Avalanche”  botnet 
was  used  to  host  bank  phishing  websites  and  was 
responsible  for  two-thirds  of  all  phishing  attacks  in 
2009.5  Other  types  of  botnets  turn  victim  comput¬ 
ers  into  a  proxy  network,  allowing  cyber  criminals 
to  disguise  their  online  location  and  conduct  on¬ 
line  criminal  activity  in  relative  safety  by  appearing 
to  originate  from  the  infected  computer.  In  reality, 
bot  masters  are  limited  only  by  their  imaginations 
and  their  desire  to  make  money,  and  undoubtedly, 
new  types  of  botnets  will  come  into  existence. 

IG  INVESTIGATIONS  OF  BOTNETS 
Armed  with  a  basic  understanding  of  the  types  of 
botnets,  we  turn  our  attention  to  the  investigation 
of  these  threats.  Agency  OIGs  are,  in  fact,  well  suit¬ 
ed  to  investigate  this  type  of  criminal  activity  for 
a  number  of  reasons.  Unlike  investigative  agencies, 
such  as  the  FBI  or  Secret  Service,  with  cybercrime 

5)  Greg  Aaron,  “The  state  of  phishing,”  Computer  Fraud  &  Security,  Vol.  2010(6),  pp.  5-8. 
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missions,  OIGs  have  a  number  of  advantages  in 
these  cases.  First  and  foremost  because  corporate 
victims  are  often  hesitant  to  report  attacks  for  fear 
of  bad  publicity  and  the  FBI  may  need  to  wait  for 
an  individual  or  organization  to  contact  them  to  re¬ 
port  a  botnet  infection,  the  victimized  agency  is  in 
a  better  position  to  clearly  assess  and  characterize 
losses.  Moreover,  the  OIG’s  mission  and  authorities 
provide  a  clear  basis  for  action  when  warranted. 

The  Inspector  General  Act  of  1978  (“the  Act”) 
provides  many  of  the  basic  tools  needed  to  conduct 
these  investigations.  The  Act  insures  that  IG  inves¬ 
tigators  will  have  access  to  agency  records,  which 
include  IT  security  incident  records  documenting 
the  malware  infections,  network  logs  and  copies  of 
infected  computers  as  evidence,  and  other  infor¬ 
mation  that  can  be  used  to  calculate  the  cost  to  the 
agency  of  the  attack.  Agency  computers  are  consid¬ 
ered  protected  systems  under  Title  18  U.S.C.  §  1030, 
and  intrusions  and  damages  into  protected  systems 
are  punishable  as  felonies,  with  recent  changes  to 
the  statute  specifically  criminalizing  botnet  activity. 

The  IG  also  has  administrative  subpoena  pow¬ 
er  under  the  Act,  a  tool  that  other  cybercrime  in¬ 
vestigative  agencies  do  not  possess.  Subpoenas  are 
indispensable  tools  when  conducting  botnet  inves¬ 
tigations  and  can  be  used  in  many  different  ways. 
They  can  be  used  to  request  the  identity  of  crimi¬ 
nals  who  purchased  online  domain  names  or  rent¬ 
ed  computer  servers  that  are  used  to  control  the 
botnet  or  install  the  malware.  They  can  also  be  used 
to  seek  subscriber  information  for  email  accounts 
associated  with  those  domain  names  and  servers, 
which  may  then  lead  to  social  networking  accounts 
and  other  means  of  identifying  targets.  Equally 
important,  administrative  subpoenas  can  be  used 
to  follow  money  trails — in  the  case  of  click  fraud 
botnet  investigations,  for  instance,  subpoenas  can 
identify  who  was  receiving  the  illicit  proceeds  from 
hijacked  clicks. 

IG  subpoenas  also  offer  significant  benefits 
when  compared  to  grand  jury  subpoenas.  Agents 
do  not  need  to  convince  a  prosecutor  to  open  a  case 
to  get  subpoenas  through  the  grand  jury — this  al¬ 
lows  IG  investigators  time  to  fully  develop  a  case 
and  to  make  it  more  appealing  if  the  case  is  even¬ 
tually  presented  to  an  assistant  U.S.  attorney.  Ad¬ 
ditionally,  with  no  secrecy  requirements  imposed 
by  the  grand  jury,  agents  can  more  easily  work  with 
other  agencies,  most  notably  foreign  counterparts, 


“dhe  NASA  OI(j  examined  agency 
Id  security  records  and  determined 
that  more  than  a  hundred  NASA 
computers  had 6een  infected...  ” 

or  with  subject  matter  experts  to  investigate  the 
case. 

Depending  upon  the  size  and  geographic  dis¬ 
tribution  of  the  botnet  infections  within  the  agency, 
there  may  be  a  number  of  venues  from  which  to 
choose.  If  infected  computers  are  located  through¬ 
out  the  country,  or  if  money  trails  lead  to  a  particu¬ 
lar  locality  in  the  U.S.,  agents  may  opt  to  bring  the 
case  to  a  prosecutor  with  experience  or  interest  in 
investigating  botnets.  This  runs  in  contrast  to  agen¬ 
cies  such  as  the  FBI  or  SS,  which  often  have  to  work 
exclusively  with  their  local  U.S.  attorney’s  office, 
whether  or  not  the  USAO’s  priorities  or  resources 
align  adequately  with  the  novelty  and  complexity 
of  a  botnet  investigation.  And  investigators  should 
also  consider  coordinating  with  other  OIG  offices; 
after  all,  if  one  agency  is  affected  by  a  particular 
botnet,  there  is  a  good  chance  that  other  agencies 
are  as  well.  Such  coordination  between  OIGs  can 
pay  dividends  later  on,  for  issues  such  as  selecting 
venue  for  prosecution,  more  accurately  assessing 
and  reporting  overall  damage  amounts  from  the 
malware  attacks  and  uncovering  additional  inves¬ 
tigative  leads. 

A  CASE  STUDY:  THE  DNSCHANGER  BOTNET 
The  botnet  known  as  “DNSChanger”  is  an  example 
of  an  IG-driven  botnet  investigation.  This  inves¬ 
tigation  has  not  been  fully  adjudicated,  so  only  a 
brief  overview  will  be  presented. 

In  late  2009,  the  NASA  OIG  and  the  FBI  opened 
a  joint  criminal  investigation  into  the  activities  of  a 
company  known  as  Rove  Digital,  which  according 
to  security  experts  was  the  source  of  a  click  fraud 
botnet  known  as  DNSChanger.  This  botnet  allowed 
the  subjects  to  surreptitiously  direct  millions  of  vic¬ 
tims  to  websites  of  the  subject’s  choosing,  instead 
of  the  websites  that  the  victims  intended  to  visit.  In 
the  case  of  more  than  one  hundred  NASA  comput¬ 
ers,  the  malware  forced  the  computers  to  use  Rove 
Digital’s  DNS  servers  instead  of  NASA’s  DNS  serv- 
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ers,  which  placed  them  into  a  sort  of  a  botnet  under 
the  control  of  Rove  Digital. 

The  NASA  OIG  examined  agency  IT  security 
records  and  determined  that  more  than  a  hundred 
NASA  computers  had  been  infected  by  servers  un¬ 
der  the  control  of  Rove  Digital  for  losses  exceed¬ 
ing  $65,000.  Forensic  examinations  of  a  number  of 
these  computers,  as  well  as  analysis  of  network  logs, 
confirmed  they  had  their  DNS  settings  changed  via 
malware.  Using  a  combination  of  IG  subpoenas 
and  grand  jury  subpoenas,  the  identities  of  the  sub¬ 
jects  were  obtained  and  the  fraudulent  profits  from 
click  fraud  were  traced  to  individuals  in  Estonia 
and  Russia.  It  is  believed  that  perhaps  millions  of 
computers  worldwide  were  infected  with  the  mal¬ 
ware. 

Working  with  the  Estonian  National  Criminal 
Police  and  the  U.S.  Attorney’s  Office  for  the  South¬ 
ern  District  of  New  York,  the  NASA  OIG  and  the 
FBI  indicted  seven  targets  on  charges  including 
computer  intrusions,  wire  fraud  and  money  laun¬ 
dering.  In  November  2011,  six  subjects  were  ar¬ 
rested  in  Estonia  and  are  in  the  process  of  being 
extradited  to  the  United  States.  A  seventh  target 
in  Russia  remains  at  large.  Equally  important,  mil¬ 
lions  of  dollars  in  financial  accounts  in  Estonia,  the 
United  States,  Cyprus,  Denmark  and  Austria  were 
also  frozen,  and  real  estate  and  other  property  be¬ 
longing  to  the  subjects  were  seized  in  Estonia. 


CONCLUSION 

While  the  DNSChanger  case  has  not  yet  been  ad¬ 
judicated,  it  serves  as  a  demonstration  that  the  IG 
community  can  tackle  these  types  of  cases.  Using 
NASA  as  a  victim  and  tools  afforded  to  the  NASA 
OIG  under  the  IG  act,  the  case  was  successfully 
brought  to  indictment,  numerous  subjects  were 
arrested  and  illicit  funds  seized.  There  are  many 
more  botnets  in  operation,  and  more  are  being  in¬ 
troduced  every  day.  In  fact,  if  NASA’s  experiences 
are  representative  of  worldwide  cybercrime  trends, 
the  agency  is  receiving  fewer  and  fewer  traditional 
“hacker”  attacks  and  more  malware  and  botnet  at¬ 
tacks,  indicating  that  these  types  of  investigations 
may  be  the  future  for  IG  cybercrime  investigators. 
As  noted  above,  the  bot  masters  are  only  limited  by 
their  imagination — and  to  combat  them,  IG  inves¬ 
tigators  must  use  all  of  the  tools  at  their  disposal  to 
fight  this  new  type  of  cybercrime,  so 
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Statistical  Sampling:  Choosing  the 
Right  Sample  Size 


By  Dr.  Kandasamy  Selvavel  and  James  Hartman  Jr. 

In  this  paper,  we  avoid  technical  terms,  notations, 
and  formulas  so  that  persons  with  little  or  no  statis¬ 
tical  background  will  be  able  to  fully  appreciate  the 
content  and  application  of  sampling  in  the  auditing 
environment.  We  structured  this  paper  into  sec¬ 
tions  that  discuss  why  sample,  sample  size  for  attri¬ 
bute  projection,  sample  size  for  variable  projection 
and  sample  size  for  internal  control  test. 

WHY  SAMPLE? 

To  audit  all  items  in  the  target  universe  is  generally 
too  time  consuming  and  prohibitively  too  costly. 
Statistical  sampling  when  appropriately  applied 
and  implemented  is  an  efficient  tool  to  leverage 
available  audit  resources,  thereby  yielding  valu¬ 
able  and  defensible  information.  A  non- statistical 
sampling  approach  does  not  allow  what  is  found  in 
the  sample  to  be  projected  to  the  population,  and 
therefore,  may  be  considered  not  as  efficient  and 
effective  as  statistical  sampling  that  allows  sample 
results  to  be  projected  to  the  population. 

The  emphasis  to  audit  in  high-risk  areas,  with 
fewer  resources  and  shorter  audit  cycles,  further 
supports  the  need  to  employ  statistical  sampling. 
Consequently,  auditing  in  this  demanding  environ¬ 
ment  requires  improved  audit  planning  and  better 
audit  tools  to  efficiently  leverage  resources  and  op¬ 
timize  the  audit  process. 

At  the  organizational  level,  there  is  an  in¬ 
creased  emphasis  on  managing  audits  to  be  more 
timely,  relevant  and  have  a  higher  return  on  audit 
investment  of  resources.  Auditing  in  this  demand- 

“ Statistic^  samp  ting  metfocfoCogy 
sfouCcf  6e  an  integrah part  of  the 
audit  process...  ” 


ing,  somewhat  dynamic  environment  requires 
improved  audit  planning  to  efficiently  leverage  all 
audit  resources.  Statistical  sampling  methodology 
should  be  an  integral  part  of  the  audit  process,  be¬ 
ginning  in  the  planning  phase  up  to  supporting 
more  comprehensive  findings  and  recommenda¬ 
tions. 

Statistical  sampling  facilitates  and  helps  clarify 
the  overall  design,  scope  and  what  is  to  be  measured 
in  the  audit.  Statistical  sampling  at  the  beginning 
phase  is  collecting  information  from  auditors  and 
calculating  sufficient  sample  size  to  achieve  project 
goals,  namely  reportable  error  rate  and  associated 
dollar  value  with  good  precision. 

A  statistician  involved  early  in  the  development 
of  the  audit  benefits  the  process  by  helping  ensure 
focus  on  defensible  methodology  of  the  audit  and 
defining  what  will  be  measured  in  the  audit.  One 
of  the  most  important  questions  asked  by  the  audi¬ 
tors  when  they  approach  statisticians  for  consulta¬ 
tion  is  the  sample  size.  It  seems  like  this  is  a  simple 
question,  but  statisticians  need  certain  information 
before  they  can  provide  a  sample  size.  This  includes 
but  is  not  limited  to  the  sample  design,  confidence 
level,  desired  precision,  expected  error  rate  and  the 


Visit  www.ignet.gov 


44 


population  size  in  deciding  the  sample  size.  Addi¬ 
tional  information  such  as  distribution  and  size  of 
errors  improves  sample  efficiency. 

In  audit  projects  one  of  the  primary  objectives 
is  to  obtain  useful  results  with  minimal  effort  and 
cost.  To  meet  this  objective,  statisticians  analyze  the 
population,  choose  an  appropriate  sample  design 
and  discuss  the  general  requirements  with  the  audi¬ 
tors.  The  statisticians  aim  is  to  determine,  through 

FIGURE  1:  SAMPLE  SIZE  FOR  SMALL  POPULATION 


FIGURE  2:  SAMPLE  SIZE  FOR  LARGE  POPULATION 
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calculation  and  experience,  the  minimal  sample 
size  required  to  sufficiently  represent  the  popula¬ 
tion  and  achieve  the  desired  precision.  Unfortu¬ 
nately,  larger  samples  generally  produce  smaller 
sampling  error  but  require  larger  audit  resources. 
The  statistician  manages  this  delicate  balance  and 
helps  the  auditor  obtain  useful  results  at  minimal 
cost. 

SAMPLE  SIZE  FOR  ATTRIBUTE  PROJECTION 
For  statisticians  to  calculate  sample  size  for  attri¬ 
bute  projections,  they  need  to  know  what  level  of 
confidence  is  required  in  the  projection  (confi¬ 
dence  level),  how  tight  the  confidence  bounds  need 
to  be  (precision),  the  population  size  and  informa¬ 
tion  on  expected  errors  in  the  population  (error 
rate).  In  general,  a  90  percent  confidence  level  is 
reasonable  for  the  attribute  projections.  From  past 
history  or  from  a  pilot  study,  one  might  be  able  to 
reasonably  “guesstimate”  the  population  error  rate. 
When  little  or  no  information  is  available,  a  worst- 
case  scenario  (50-percent  error  rate)  can  be  used  to 
calculate  the  sample  size.  A  50-percent  error-rate 
assumption  gives  the  largest  sample  size  for  attri¬ 
bute  projection. 

When  the  population  size  increases,  the  sample 
size  also  increases,  but  the  increase  is  not  linear.  It 
is  important  to  note  that  the  increase  in  sample  size 
is  minimal  when  the  population  size  is  very  large. 
This  is  why  the  statistical  sampling  is  very  efficient 
for  large  populations. 

SAMPLE  SIZE  FOR  VARIABLE  PROJECTION 
For  statisticians  to  calculate  efficient  and  adequate 
sample  size  for  variable  projections,  they  need  to 
know  the  confidence  level,  the  precision,  the  pop¬ 
ulation  size  and  the  expected  standard  deviation 
of  the  errors.  In  general,  a  95  percent  confidence 
level  is  used  for  the  variable  projections.  To  achieve 
a  specified  relative  precision,  expected  standard 


“When  the  population  size 
increases,  the  sampCe  size  aCso 
increases,  6ut  the  increase 
is  not  [inear.  ” 
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deviation  of  the  errors  or  coefficient  of  variation, 
which  is  the  standard  deviation  divided  by  mean, 
can  be  used  in  the  calculation  of  sample  size.  A 
pilot  sample  or  information  from  previous  stud¬ 
ies  can  be  used  to  estimate  the  standard  deviation 
of  the  errors.  If  nothing  else  is  available,  a  hypoth¬ 
esized  distribution  of  the  population  data  can  be 
used  to  estimate  the  sample  size. 

There  are  several  statistical  packages  available 
for  sample  size  calculation,  but  most  of  them  do 
not  disclose  the  methodologies  used  in  their  calcu¬ 
lations.  For  simple  sample  designs,  the  mathemati¬ 
cal  formulae  are  given  for  sample- size  calculation 
in  many  statistics  textbooks.  For  example,  see  Co¬ 
chran  (1977), 1  Kish  (2004), 2  and  Lohr  (2010).3  In 
practice,  we  don’t  know  all  the  values  to  input  into 


the  formula,  and  informed  assumptions  must  be 
made  by  the  statistician  in  conjunction  with  the 
auditor.  Unfortunately,  only  the  assumed  values 
are  known  after  the  completion  of  the  project.  This 
is  why  calculating  sample  size  is  not  an  easy  task 
for  statisticians  and  sample  sizes  differ  based  on 
assumptions  about  the  data-set  and  distributions. 
Sufficiency  of  the  sample  to  adequately  represent 
the  population  is  mandatory  for  defensible  statisti¬ 
cal  projection. 

SAMPLE  SIZE  FOR  INTERNAL  CONTROL 
TEST 

Minimum  sample  sizes  for  internal  control  tests 
are  given  in  the  Government  Accountability  Of¬ 
fice  Financial  Audit  Manual  for  large  populations 


FIGURE  3:  THE  POPULATION  AND  THE  SAMPLE  SIZE  FOR  INTERNAL  CONTROL  TEST 


Population  Size(N) 

Sample  Size  (n) 

Population  Size  (N) 

Sample  Size  (n) 

upto19 

all 

60-67 

29 

20 

14 

68-70 

30 

21-22 

15 

71-72 

31 

23 

16 

73-102 

32 

24-32 

17 

103-150 

33 

33-34 

18 

151-154 

34 

35-36 

19 

155-159 

35 

37-38 

20 

160-195 

36 

39-40 

21 

196-200 

37 

41-42 

22 

201-206 

38 

43 

23 

207-228 

39 

44-45 

24 

229-234 

40 

46-47 

25 

235-290 

41 

48-49 

26 

291-336 

42 

50-51 

27 

337-500 

43 

52-59 

28 

501-2000 

44 

1)  Cochran,  W.G.  (1977).  Statistical  Techniques.  3rd.,  New  York,  N.Y:  Wiley. 

2)  Kish,  L.  (2004).  Statistical  Design  for  Research.  Hoboken,  N.J.:  Wiley. 

3)  Lohr,  S.  L.  (2010).  Sampling:  Design  and  Analysis.  Pacific  Grove;  CA:  Duxbury. 
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greater  than  5,000.  The  control  test  sample  size 
table  provided  in  FAM  is  based  on  a  90-percent 
confidence  level  and  5-percent  tolerable  error.  The 
auditors  should  rely  on  statisticians  to  calculate 
the  sample  size  for  small  population. 

For  internal  control  tests,  we  present  the  sample 
size  table  for  small  populations  of 2,000  or  less.  Our 
sample  size  calculations  are  based  on  the  theory 
given  in  Wendell  and  Schmee’s  paper.4  They  use  the 
hypothesis  testing  approach  in  their  methodology. 
Because  of  the  discrete  nature  of  the  hypergeomet¬ 
ric  distribution,  it  is  not  possible  to  calculate  the  ex¬ 
act  sample  size  for  very  small  populations  less  than 
100  that  yields  5  percent  upper  bound.  Therefore, 
for  some  very  small  populations,  the  correspond¬ 
ing  upper  bound  varies  from  3  to  6  percent.  Figure 
1  presents  sample  sizes  calculated  based  on  90-per- 
cent  confidence  level  and  5-percent  tolerable  error. 

The  Decision  Rule  for  the  control  test:  If  zero 
exceptions  are  found  in  the  sample,  this  indicates 
we  are  at  least  90  percent  confident  there  are  no 
more  than  5  percent  of  the  items  with  exceptions  in 
the  universe.  Therefore,  we  accept  the  null  hypoth¬ 
esis  that  there  are  no  more  than  5  percent  errors  in 
the  universe  and  conclude  controls  are  working. 

CONCLUSION 

After  the  audit  topic  is  defined  and  scope  of  the  au¬ 
dit  is  developed,  statisticians  can  assist  in  defining 
the  population  and  establishing  the  target  precision 
and  the  allowable  level  of  audit  risk.  The  audit  risk 
is  the  complement  of  the  level  of  confidence  and 
is  determined  either  by  published  guidance  or  in 
consultation  with  the  statistician  and  audit  man- 


4)  Wendell,  J.  P.  and  Schmee,  J.  (1996).  Exact  Inference  for  Proportions  From  a  Stratified 
Finite  Population.  Journal  of  the  American  Statistical  Association,  91,  825-830. 


agement.  If  management  is  willing  and  in  a  posi¬ 
tion  to  offer  additional  resources  and  more  time  for 
the  audit  process,  then  the  statistician  can  design 
a  sample  with  lower  risk,  a  higher  confidence  level 
and  better  precision. 

Clarity  of  the  audit  objective(s)  facilitates  the 
design  process  and  enhances  the  statistician’s  abil¬ 
ity  to  develop  a  more  efficient  design,  and  ultimate¬ 
ly,  to  obtain  more  useful  audit  results.  To  optimize 
resources  for  any  sampling  design,  the  appropriate 
goals  and  objectives  of  the  audit  must  be  clearly  de¬ 
fined.  Usually,  multiple  objectives  can  be  managed 
and  addressed  with  minimum  impact  on  audit  re¬ 
sources  within  the  same  sample  design. 

The  auditors  are  often  interested  in  reporting  a 
point  estimate.  The  point  estimate  should  be  given 
only  with  the  corresponding  standard  errors  or  the 
confidence  interval.  The  standard  error  gives  some 
measure  about  the  quality  of  the  calculated  esti¬ 
mates.  A  point  estimate  with  very  wide  confidence 
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interval  may  be  less  useful  for  decision  makers 
than  the  point  estimate  with  narrow  confidence 
interval.  That  is,  a  smaller  precision  is  preferable. 

The  challenge  is  to  provide  defensible  deci¬ 
sions  using  the  statistical  projections.  A  useful  ap¬ 
proach  is  to  compare  the  decision  that  would  be 
made  at  each  of  the  confidence  bounds.  That  is, 
would  the  decision  or  conclusion  differ  if  the  true 
errors  were  at  the  lower  versus  the  upper  confi¬ 
dence  bound?  If  so,  a  degree  of  comfort  is  gained 
in  reporting  or  using  the  estimate.  If  the  decision 
or  conclusion  at  each  confidence  bound  is  differ¬ 
ent,  then  additional  information  maybe  needed  to 
make  a  reasonable  conclusion.  irJ 
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Conceptual  Framework  for  Grant 
Oversight  Using  Data  Analytics 


By  Dr.  Brett  Baker 

In  fiscal  year  2011,  26  federal  agencies  provided 
approximately  $600  billion  in  federal  financial  as¬ 
sistance  to  more  than  80,000  recipients.  Approxi¬ 
mately  1,600  of  the  grant  programs  funded  in  201 1 
supported  national  infrastructure,  scientific  re¬ 
search  and  cultural  enrichment  activities  that  are 
designed  to  promote  the  public  good.  A  federal 
grant  is  an  award  of  financial  assistance  from  a  fed¬ 
eral  agency  to  carry  out  a  public  purpose  of  support 
or  stimulation  authorized  by  a  U.S.  law.  Recipients 
must  expend  the  federal  grant  funds  in  compliance 
with  federal  regulations  and  in  the  execution  of 
the  programs  and  activities  detailed  in  grant  docu¬ 
ments.  Oversight  of  those  funds  is  challenging  as 
there  is  limited  information  available  to  ensure 
costs  are  reasonable,  allocable  and  allowable. 

The  Conceptual  Framework  for  Grant  Over¬ 
sight  Using  Data  Analytics  describes  an  oversight 
approach  that  emphasizes  the  use  of  automated 
techniques  in  the  planning  and  execution  process¬ 
es  for  grant  oversight.  Data  obtained  from  multiple 
databases  can  be  compared  and  analyzed  to  iden¬ 
tify  anomalies  in  recipient  federal  award  cost  data 
and  award-expenditure  patterns.  Such  techniques 
allow  oversight  officials  and  Offices  of  Inspectors 

X Data  o6tainecffrom  muCtipCe 
cfata6ases  can  6e  compared  and 
ana[yzed  to  identify  anomaCies  in 
recipient  federaC award  cost  data 
and  award-expenditure.  ” 


General  to  expand  coverage  of  the  grant  dollars, 
increase  the  accuracy  of  analysis,  improve  the  ef¬ 
ficiency  of  planning,  and  ultimately,  reduce  the 
time  and  cost  of  conducting  a  review.  In  addition, 
automated  techniques  can  provide  transparency  of 
recipient  spending  that  is  difficult  and  challenging 
to  see  using  traditional  oversight  techniques 

The  framework  provides  auditors  and  investi¬ 
gators  a  risk-based,  data  analytics-driven  approach 
to  identify  institutions  that  may  not  be  using  fed¬ 
eral  funds  in  accordance  with  the  Office  of  Man¬ 
agement  and  Budget  cost  principles,  administra¬ 
tive  rules  or  within  the  terms  and  conditions  of 
their  federal  award  agreements.  The  framework 
also  demonstrates  how  oversight  organizations  can 
integrate  agency,  recipient  and  open  source  infor¬ 
mation  to  provide  a  more  comprehensive  view  of 
risk  rather  than  using  traditional  risk  identification 
techniques,  such  as  statistical  sampling. 

Lastly,  the  framework  offers  a  methodology  to 
enhance  the  audit  and  investigative  capabilities  for 
all  offices,  regardless  of  staff  size.  Automated  tech¬ 
niques  to  review  data  sets  can  increase  audit  over¬ 
sight  from  a  sample  of  transactions  to  100  percent 
coverage  of  all  transactions  and  can  provide  contin¬ 
uous  auditing  capabilities.  Audit  planning  efforts 
can  identify  expenditure  anomalies  by  comparing 
databases,  reviewing  more  data/transactions  and 
evaluating  risk  areas.  Accordingly,  audit  and  inves¬ 
tigative  work  can  be  targeted  to  areas  of  risk  iden¬ 
tified  through  targeted  review  planning;  thus,  the 
time  and  resources  required  to  determine  whether 
the  grantee’s  use  of  the  grant  funds  met  federal  and 
agency  requirements  can  be  reduced. 


1)  www.grants.gov. 


Visit  www.ignet.gov 


50 


GRANT  RISKS  THROUGHOUT  THE  AWARD 
LIFE  CYCLE 

Life  cycle  oversight  can  be  accomplished  through 
automated  techniques  to  monitor  agency-award 
systems  and  external  data.  The  three  main  phas¬ 
es  in  the  life  cycle  of  grants  are  pre-award,  active 
award  and  award  end/ closeout.  Each  federal  grant¬ 
awarding  agency  compiles  financial  and  award  in¬ 
formation  that  can  be  reviewed  with  data  analytics 
to  identify  anomalous  activities  and  changes  in  ac¬ 
tivity  over  time. 

FIGURE  1:  CONCEPTUAL  FRAMEWORK  FOR 
GRANT  OVERSIGHT 


In  the  pre-award  phase,  the  grant  process  may 
begin  with  a  solicitation  for  proposals  to  address  an 
agency  program  or  interest  area.  During  this  phase, 
agencies  must  guard  against  bias  that  might  result 
from  a  conflict  of  interest,  such  as  panel  members 
who  have  relationships  with  key  proposal  person¬ 


nel  or  the  requesting  recipients.  Common  pre¬ 
award  risks  include: 

•  Funding  over  time  involves  project  grants  that 
are  awarded  through  a  competitive  process 
where  success  rates  traditionally  range  from  20 
percent  to  30  percent.  Significantly  higher  suc¬ 
cess  rates  by  an  institution  or  principal  investi¬ 
gator  would  be  a  potential  indicator  of  risk  of 
weak  controls  over  the  award  process.  This  risk 
can  be  identified  through  analysis  of  award  de¬ 
cisions  in  agency  award  information  systems. 

•  Conflicts  of  interest  involve  a  recipient  or 
someone  with  an  undisclosed  relationship  to 
a  prospective  recipient  or  project,  or  someone 

who  may  have  an  undis¬ 
closed  financial  inter¬ 
est,  personal  interest  or 
professional  interest  in 
that  project.  Conflicts  of 
interest  include  financial 
investments  that  could 
increase  in  value  should 
a  project  be  financed,  or 
a  relative  could  be  part 
of  the  award-decision 
process.  This  risk  can  be 
discovered  through  an 
analysis  of  agency  award 
systems. 

•  False  claims,  certifi¬ 
cations  and  statements 
are  representations  made 
verbally  and/or  in  writ¬ 
ing  by  awardees  to  falsify 
or  conceal  a  material  fact. 
Penalties  under  the  Fed- 

3 

eral  False  Claims  Act  for 
false  representations  can 
be  three  times  the  loss  to 
the  federal  government 
(treble  damages).  Data 
analytics  can  help  uncov¬ 
er  issues  that  result  from 
false  statements  by  displaying  transac¬ 
tions  that  do  not  comport  to  the  state¬ 
ment. 


2)  www.research.gov. 

3)  Federal  False  Claims  Act  (31  USC  3729-3733)  imposes  liability  on  any  person  or  orga¬ 
nization  who  submits  a  claim  to  the  federal  government  that  he  or  she  knows  (or  should 
know)  is  false. 
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•  Duplicate  funding  can  occur  when  candidates 
send  proposals  to  multiple  agencies  to  increase 
funding  chances.  There  is  a  risk  that  multiple 
agencies  will  fund  the  same  work.  Data  analyt¬ 
ics  of  award  abstract  information  from  online 
resources  such  as  www.grants.gov  can  identify 
potential  duplicate  funding. 

•  Inflated  budgets  can  occur  if  a  proposal  bud¬ 
get  requests  a  higher  dollar  amount  than  is 
needed.  The  extra  funds  may  be  used  for  non¬ 
grant  purposes.  Comparisons  of  similar  awards 
within  agency  award  systems  can  identify  po¬ 
tential  award-budget  anomalies. 

•  Candidates  suspended  or  debarred  can  be  dis¬ 
covered  through  the  System  for  Award  Man¬ 
agement  website  at  www.sam.gov,  which  links 
to  the  Excluded  Parties  List  System  website 
that  provides  a  list  of  individuals  and  entities 
excluded  from  doing  business  with  the  federal 
government.  A  suspension  or  a  debarment  is  a 
temporary  prohibition  against  an  institution  to 
participate  in  federal  award  programs,  includ¬ 
ing  receipt  of  funding  and  seeking  new  awards. 
Data  analysis  of  suspension  and  debarment 
information  against  agency  award  systems  can 
identify  institutions  that  should  not  be  partici¬ 
pating  in  award  programs. 

•  High-risk  grantees  include  prospective  or  ex¬ 
isting  grantees  who  may  be  experiencing  chal¬ 
lenges  that  result  in  financial  instability;  may 
have  inadequate  system  of  internal  controls  or 
management  controls;  or  have  not  conformed 
to  the  terms  or  conditions  of  previous  awards. 
As  a  result,  a  grant  could  be  awarded  with¬ 
out  the  benefit  of  any  special  conditions  or 
requirements  to  mitigate  the  high-risk  condi¬ 
tions  if  the  awarding  agency  fails  to  consider 
and  address  adequately  high-risk  indicators 
during  the  pre-award  process.  The  Federal  Au¬ 
dit  Clearinghouse  is  a  repository  for  OMB  Cir¬ 
cular  A- 133  Single  Audit  Act  annual  audits  and 
is  a  source  of  data  that  can  show  these  weak¬ 
nesses.  Comparison  against  agency  award- 
information  systems  can  identify  higher  risk 
institutions. 

During  the  active  award  phase,  recipients  expend 
grant  funds  throughout  the  period  of  performance, 
which  can  range  from  one  to  five  years.  Recipients 
request  reimbursement  payments  from  the  award¬ 
ing  agency  generally  as  an  aggregate  dollar  amount. 


Unlike  contract  payments,  federal  agencies  do  not 
receive  an  invoice  or  other  billing  detail  to  support 
the  expenditures.  While  recipients  provide  quar¬ 
terly,  annual  and  final  reporting,  those  reports  do 
not  detail  how  the  grant  funds  were  expended.  The 
following  can  apply  during  the  active  award  phase: 

•  Audits  conducted  under  OMB  Circular  A- 133 
Single  Audit  Act  provide  some  level  of  over¬ 
sight  regarding  internal  controls  for  recipients 
who  report  expenditures  of  at  least  $500,000 
per  annum,  but  the  scope  of  financial  and 
compliance  testing  is  limited.  Thus,  unallow¬ 
able  use  of  federal  funds  may  not  be  discov¬ 
ered  in  these  audits. 

•  Unallowable  costs  are  those  costs  that  are  not 
allowed  by  OMB  Circulars  and/or  by  federal 
award  terms  and  conditions.  Unallocable  costs 
are  those  that  clearly  do  not  meet  the  purpose 
or  intent  of  the  award.  Unreasonable  costs  are 
often  excessive  charges  or  unnecessary  costs. 
Unallowable,  unallocable  and  unreasonable 
costs  are  generally  reported  as  questioned  costs 
as  part  of  OIG  and  A- 133  audits.  Data  analyt¬ 
ics  of  awardee  general  ledger  information  can 
readily  discover  these  costs. 


FIGURE  2:  ANAMALOUS  GRANT  FUNDS 
DRAWDOWN  PATTERN 


Inadequate  documentation  includes  incon¬ 
sistent  (or  consistent)  labor  charges,  use  of 
a  ghost  employee  or  the  addition  of  an  unal¬ 
lowable  percentage  against  the  grant.  Federal 
awards  require  awardees  to  maintain  proper 
cost  documentation  to  support  award  expen¬ 
ditures.  Receipts  are  required  for  purchases  of 
materials,  equipment  and  supplies,  and  labor 
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charged  to  the  project  must  be  properly  docu¬ 
mented. 

Awardee  general  ledger  differs  from  cash- reim¬ 
bursement  draw  requests:  Comparing  awardee 
financial  information  for  cash  reimbursement 
draw  requests  to  agency  payment  systems  can 
readily  identify  anomalies.  Differences  may 
indicate  funding  was  used  for  non-grant  pur¬ 
poses  or  excessive  levels  of  cash  on  hand. 
Abnormal  cash  reimbursement,  such  as  un¬ 
usual  spikes  in  amounts  or  increased  frequen¬ 
cies  of  cash  reimbursement  requests  could  be 
drawdown  patterns  that  may  be  indicative  of 
requests  to  cover  nonaward  needs  of  the  re¬ 
cipient.  Spikes  in  cash  reimbursement  requests 
can  indicate  that  funds  may  not  be  used  fully 
for  the  purposes  of  the  award.  For  example, 
an  institution  that  makes  a  large,  atypical  cash 
reimbursement  draw  at  the  end  of  the  month 
or  quarter  may  be  using  the  funding  to  meet 
operational  cash  needs  rather  than  the  award. 
Spend-out  charges  near  the  end  of  an  award 
or  after  the  award  may  warrant  even  greater 
attention.  These  patterns  are  visible  in  agency- 
payment  system  data,  and  award  activity  can  be 
charted. 

Inadequate  recipient  reporting,  such  as  late 
or  no  program  and  financial  reporting  to  the 
agency  are  strong  indicators  that  the  project 
may  not  be  progressing  in  accordance  with  the 
terms  of  the  award  and  that  funding  may  not 
be  used  only  for  the  award.  This  information 
is  available  in  agency  financial  and  program 
award  system  data. 

Contracts,  subcontracts  and  consultants  in¬ 
crease  risks  because  parties  other  than  the  pri¬ 
mary  grantee  control  and  expend  grant  funds. 
Grants  budgeted  for  multiple  contracts  and 
consultants,  and/or  with  large  dollar  amounts 
flowing  to  other  parties  should  be  identified  for 
review. 

Potential  duplicate  and  improper  payments 
can  be  seen  in  the  agency  financial  system  data 
as  exact  amounts  usually  requested  within  a 
short  time  period.  Office  of  inspector  general 
staff  can  examine  the  supporting  payment  doc¬ 
umentation  to  ascertain  whether  these  exact 
dollar  amounts  truly  are  duplicate  payments. 
Excess  cash  on  hand,  such  as  cash  requests  that 
exceed  the  needs  of  an  awardee  are  difficult  to 


see  in  agency  financial  system  data  but  can  sur¬ 
face  in  data  analysis  of  awardee  financial  infor¬ 
mation.  Duplicate  payments  also  can  provide 
excess  cash. 

•  Unreported  program  income  is  income  from 
the  project  that  is  not  reported  on  the  Federal 
Financial  Report,  the  annual  report  and/or  the 
closeout  report.  This  can  be  identified  through 
an  analysis  of  awardee  general  ledger  informa¬ 
tion. 

•  An  OMB  Circular  A- 133  Single  Audit  may  not 
be  required  for  recipients  who  receive,  from 
multiple  agencies,  individual  federal  awards 
that  are  below  the  current  $500,000  reporting 
threshold,  but  the  aggregated  awards  may  meet 
the  requirement  for  an  A- 133  Single  Audit  to 
be  performed.  An  analysis  of  Federal  Audit 
Clearinghouse  data  against  agency  award  sys¬ 
tems  and  data  available  in  www.grants.gov  can 
readily  identify  unmet  Single  Audit  require¬ 
ments  and  audit  finding  trends  for  the  institu¬ 
tion. 

During  the  award  end  and  closeout  phase,  no  fur¬ 
ther  costs  are  allowed  to  be  incurred  after  the  pe¬ 
riod  of  performance  for  a  grant  has  ended.  Thus, 
the  recipient  is  responsible  for  reporting  total  ex¬ 
pended  award  funds  to  the  awarding  agency,  both 
to  close  the  agency’s  award  financial  account  and  as 
part  of  the  final  project  report  that  describes  the  re¬ 
sults  and  benefits  of  the  project  financed  with  fed¬ 
eral  award  funds.  The  following  can  occur: 

•  Inappropriate  cost  transfers  are  seen  within 
awardee  financial  information.  A- 133  audit 
testing  may  provide  insight  into  the  potential 
risk  of  inappropriate  cost  transfers.  Awardees 
may  use  funds  from  one  award  with  excess 
funds  to  cover  costs  on  other  awards  that  have 
extinguished  the  funds.  Data  analysis  of  award¬ 
ee  general  ledger  data  can  uncover  inappro¬ 
priate  movement  of  funding  between  awards 
from  a  single  federal  agency  as  well  as  awards 
between  federal  agencies. 

•  Lack  of  final  reporting  or  late  reporting  indi¬ 
cates  higher  risk  awardees  because  the  award¬ 
ees  have  not  provided  timely  information  on 
their  federal  program.  This  information  can  be 
found  in  agency  financial  and  program  award 
systems  data. 

•  Funding  drawdowns  within  the  last  month  of 
an  award  and  requests  made  after  the  award 
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FIGURE  3:  DATA  ANALYTICS  FOR  GRANT  OVERSIGHT 
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expiration  are  higher  risk  transactions,  par¬ 
ticularly  when  request  levels  spike  dramatically 
from  their  normal  patterns.  Funding  requests 
can  be  seen  in  agency  systems  as  well  as  in 
awardee  financial  systems  data.  Expenditures 
for  equipment  and  materials  at  the  end  of  an 
award  or  after  its  expiration  date  can  often  be 
unrelated  to  the  purpose  of  a  federal  award  and 
are  questionable. 

•  Financial  adjustments  should  be  identified 
and  reviewed,  which  includes  unusual  dollar 
amounts,  numbers  of  adjustments,  timing  of 
adjustments  and  cost  transfers  to  or  from  other 
accounts.  Data  analysis  of  awardee  general  led¬ 
ger  information  can  show  anomalous  financial 
adjustments. 

•  Cost  sharing  is  an  award  requirement  to  pro¬ 
vide  a  percentage  of  nonfederal  funding  to  ob¬ 
tain  the  federal  funds.  Awardee  matching  fund 
information  must  be  validated  in  the  awardee 
financial  systems  data.  Data  analysis  of  award¬ 
ee  general  ledger  information  can  show  unmet 
cost  share  by  the  recipient. 


DATA  ANALYTICS 
FOR  GRANT 
OVERSIGHT 
The  framework  pro¬ 
vides  an  alternative  ap¬ 
proach  to  auditing  by 
emphasizing  the  use  of 
automated  techniques 
in  the  audit  planning 
process  as  well  as  pro¬ 
viding  a  way  to  uncover 
questionable  transac¬ 
tions  during  fieldwork. 
The  framework  for 
grant  oversight  pro¬ 
vides  agencies,  auditors, 
and  investigators  with 
a  data  analytics-driven 
methodology  to  identify 
recipients  that  may  not 
use  federal  funds  prop¬ 
erly  and  to  perform  life 
cycle  oversight.  Data 
from  multiple  databases  can  be  compared  and 
analyzed  to  identify  anomalies  in  recipient  federal 
award  cost  data  and  expenditure  patterns.  At  the 
end  of  an  engagement,  it  is  important  to  determine 
the  usefulness  of  the  grant  fraud  indicator(s),  i.e., 
what  worked  and  what  did  not  work  in  the  data 
analytics  process  to  help  refine  the  modeling.  False 
positives  (transactions  that  look  unallowable  but 
are  allowable)  can  be  reduced  by  providing  feed¬ 
back  to  the  data  analytics  and  modeling  team. 

PHASE  I  -  IDENTIFICATION  OF  HIGHER  RISK 
INSTITUTIONS 

Agency  proposal  and  award  data  combined  with 
externally  available  information  can  show  awardee 
activity  over  time,  including  anomalous  patterns. 
Agencies  maintain  grant  proposal  and  award  fi¬ 
nancial  information  at  the  grant-level  and  institu¬ 
tion-level  as  part  of  their  award  and  post- award 
monitoring  efforts.  This  includes  information,  such 
as  proposal  narratives,  panel  scoring,  quarterly  re¬ 
ports,  drawdowns  and  closeout  reconciliation.  This 
information  can  be  extracted  into  an  OIG  database 
and  combined  with  other  open-source  informa¬ 
tion,  which  is  available  on  the  Internet,  to  produce 
an  institution  risk  profile  that  can  be  compared 
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FIGURE  4:  RISK  IDENTIFICATION  FRAMEWORK 
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against  other  institutions  to  surface  outliers.  Actual 
expenditures  by  awardees  are  not  readily  visible  to 
agency  officials.  Unlike  contract  payments,  requests 
for  financial  assistance  award  funds  are  not  nor¬ 
mally  accompanied  by  supporting  documentation, 
such  as  invoices  and  receipts — this  level  of  detail  is 
available  during  the  framework’s  Phase  II  testing  of 
awardee  general  ledger  information.  Information 
that  is  visible  to  awarding  agencies  often  only  in¬ 
cludes  lump  sum  cash  drawdown  requests  without 
specific  information  about  the  underlying  grants. 
The  primary  control  agencies  can  apply  to  sum¬ 
mary  funding  requests  is  to  compare  the  amount 
of  the  funding  request  against  remaining  balance 
of  open  awards  before  making  the  disbursement.  If 
there  are  sufficient  funds,  the  agency  can  make  the 
disbursement.  If  funds  are  not  sufficient,  the  award¬ 
ing  agency  contacts  the  institution.  Summarized 
funding  requests  can  still  provide  useful  insight  for 
identifying  potentially  risky  payments,  such  as  ex¬ 
penditures  unrelated  to  a  federal  award.  Auditors 


and  investigators  can  examine  payment  history 
over  time  to  look  for  drawdown  spikes,  which  can 
be  an  indicator  of  institutions  using  federal  funds 
to  cover  the  cost  of  institution  operations,  and  not 
authorized  grant  activities.  This  is  particularly  true 
if  funding  requests  occur  around  common  finan¬ 
cial  reporting  periods,  such  as  end  of  the  month, 
quarter,  or  year. 

Federal  Financial  Reports  capture  grant  expen¬ 
ditures  at  a  summary  level  for  the  previous  quar¬ 
ter  by  grant  award.  The  automated  reports  provide 
high-level  information  on  grant  spending  and  rec¬ 
onciliation  information  that  agencies  use  to  make 
adjustments  to  award  funding  requests  made  dur¬ 
ing  the  quarter.  While  the  FFR  data  is  reported  in 
90-day  increments,  it  still  provides  spending-pat- 
tern  information.  For  example,  a  last-quarter  FFR 
with  higher  than  normal  funding  expenditures  can 
be  an  indication  of  an  awardee  spending  out  the 
remainder  of  an  awards  grant  funds  for  purposes 
other  than  the  terms  and  conditions  of  the  grant.  It 
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may  also  be  an  indicator  that  funds  were  spent  after 
the  award  expiration  date  as  FFRs  are  not  normally 
submitted  in  quarters  after  the  award  has  expired. 
Those  expenditures  may  have  been  collapsed  into 
the  last  FFR  for  the  grant.  FFRs  that  are  in  database 
formats  are  another  valuable  tool  to  identify  poten¬ 
tial  misuse  of  federal  funds.  Award  management 
and  financial  information  are  additional  ways  to 
gain  insight  on  awardee  risks.  Special  payment  and 
late  reporting  information  can  signal  higher  risk 
activities  by  an  awardee.  Careful  examination  of 
the  information  provides  auditors  and  investigators 
with  an  additional  capability  to  identify  institutions 
that  may  not  be  using  federal  funds  properly. 

Externally  available  data,  such  as  institution- 
level  information  is  captured  by  a  number  of  or¬ 
ganizations  within  and  outside  the  federal  gov¬ 
ernment.  As  noted  previously,  reports  completed 
under  the  requirements  of  the  A- 133  Single  Audit 
Act  are  maintained  in  the  Federal  Audit  Clearing¬ 
house  and  can  be  compared  with  agency  finan¬ 
cial  and  program  award  information  to  provide 
additional  risk  information.  Dun  and  Bradstreet 
has  financial  information  on  most  entities  within 
the  U.S.  and  also  maintains  financial  risk  scores, 
which  can  provide  valuable  insight  on  an  institu¬ 
tions  financial  stability.  The  Excluded  Parties  List 
System  maintains  information  on  institutions  and 
individuals  who  have  been  suspended  or  debarred 
from  performing  on  federal  contracts  or  grants. 
The  ELPS  includes  current  and  historical  informa¬ 
tion.  Current  matches  against  the  ELPS  would  be 
a  signal  that  the  institution  should  not  be  doing 
business  with  the  government.  A  historical  match 
would  provide  a  valuable  indicator  of  potential  risk 
that  funds  may  not  be  used  properly  by  the  institu¬ 
tion.  The  System  for  Award  Management  provides 
organizational  and  operating  information  on  con¬ 
tractors  and  grantee  institutions  that  wish  to  do 
business  with  the  federal  government.  Information 
from  the  various  sources  can  be  refreshed  periodi¬ 
cally.  Key  to  combining  agency  data  with  externally 
available  open-source  information  is  a  way  to  link 
the  data  from  the  various  files.  This  normally  is  an 
institution  identifier  such  as  an  entity  identification 
number,  D  &  B’s  Data  Universal  Numbering  System 
and/or  a  commercial  and  government  entity  code 
from  the  SAM.  Data  from  these  external  sources  is 
generally  available  through  Web-accessible  portals 
and  download  functions. 


Establishing  a  data  repository  to  compile  fed¬ 
eral  award  and  federal  awardee  data  from  multiple 
sources  (both  internal  and  external  to  the  award¬ 
granting  agency)  provides  a  capability  to  assign 
risk  to  its  awards  and  award  recipients.  This  cen¬ 
tral  repository,  coupled  with  the  use  of  data  mining 
techniques,  will  allow  the  examination  of  all  avail¬ 
able  records  related  to  a  specific  federal  award  or 
federal  award  recipient  rather  than  just  a  sample.  It 
will  also  facilitate  comparisons  of  data  from  mul¬ 
tiple  systems  to  create  data  relationships,  perform 
comparisons  and  other  analytics,  summarize  large 
volumes  of  data,  and  identify  anomalies  and  trends 
over  time. 

Agency  data  (grant  level)  is  the  initial  step  in 
building  a  data  repository  by  constructing  a  data¬ 
base  of  agency  award  data  at  the  individual  award 
level.  This  data  includes  pre- award  data  from  in¬ 
stitution  proposals  that  show  panel  scoring  re¬ 
sults  (individual  scores,  and  summary),  detailed 
cost  categories  from  award  budgets  and  funding 
changes  throughout  the  panel  review  process.  The 
repository  would  also  include  agency  award  infor¬ 
mation  throughout  the  active  award  phase  of  the 
grant,  such  as,  cash  reimbursement-request  history 
and  cash  draw  patterns,  burn  rate  (how  quickly  an 
awardee  spends  its  grant  funds),  special  payment 
flags,  etc.  Individual  grant  risk  indicators  can  be 
developed  for  these  kinds  of  risks  and  applied  to 
the  database  to  provide  a  grant-based  risk  score 
that  is  helpful  for  on-site  grant  audit  and  investi¬ 
gative  teams  to  focus  their  attention  during  their 
work. 

Individual  grant  awards  for  an  institution  can 
be  summarized  at  the  institution  level  to  allow  for 
comparisons  against  external  data  sources,  such  as, 
ELPS,  SAM,  FAC,  and  D&B  databases.  This  com¬ 
parison  allows  for  the  development  of  institution- 
level  risk  flags  and  a  composite  score  that  auditor 
and  investigative  teams  can  use  to  identify  higher- 
risk  institutions. 

The  detailed  testing  of  institution  detailed 
transaction  level  data  from  general  ledgers  pro¬ 
vides  the  most  compelling  evidence  for  identify¬ 
ing  potentially  questionable  costs  for  audits  and 
investigations.  Risk  indicators  of  high-risk  condi¬ 
tions  can  be  coded  into  the  data  analytics  tools  and 
databases  to  show  inconsistencies  in  cost  transfers, 
inappropriate  equipment  purchases,  ghost  employ¬ 
ees,  etc. 
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The  oversight  database  can  be  analyzed  with  any 
number  of  data  analytical  tools.  Common  audit  ap¬ 
plications  such  as  ACL,  IDEA  and  Microsoft  Access 
can  combine  data  files  and  perform  data  field  analy¬ 
sis  to  surface  anomalous  activity.  More  sophisticat¬ 
ed  applications  such  as  SAS  Enterprise  Miner  and 
IBM  Modeler  have  data  mining  features  that  can 
surface  underlying  anomalies  and  patterns  within 
the  financial  and  program  information  that  warrant 
further  attention.  The  tools  can  examine  data  fields 
for  outliers  and  anomalies,  both  within  a  database 
and  activity  over  time.  Additionally,  the  tools  can 
produce  risk-based  profiles  on  several  levels,  e.g., 
grant-type,  institution-type,  drawdown  frequency. 
These  tools  can  develop  institution  profiles  that 
show  normal  financial  and  program  behavior,  e.g., 
drawdown  frequency  and  amount.  The  data  analysis 
applications  can  also  provide  additional  insight  into 
risky  activity  such  as  unusual  bank  account  changes 
and  special  payment  status.  The  resultant  continu¬ 
ous  auditing  database  essentially  provides  a  list  of 
all  institutions  (rows)  and  fields  (columns)  with 
the  scoring  results  of  the  various  indicators,  some 
of  which  would  be  weighted  higher  or  lower,  based 
on  risk.  The  sum  of  the  indicator  risk  scores  creates 
a  composite  risk  index  for  the  institution  that  can 
be  used  to  compare  institutions  as  depicted  in  the 
Risk  Identification  Framework  on  page  55.  While  a 
single  risk  indicator  can  provide  important  insight, 
a  composite  risk  indicator  developed  by  combining 
several  single  risk  indicators  provides  even  greater 
visibility  of  anomalous  activities  and  potential  risks. 

PHASE  II  —  DATA  ANALYTICS  DRIVEN 
REVIEW  APPROACH 

This  standardized  review  approach  applies  to  steps 
that  occur  after  an  awardee  has  been  selected,  and 
it  will  help  to  identify  highest-risk  areas  and  trans¬ 
actions  related  to  an  awardee,  which  should  be  re¬ 
viewed  and  audited.  The  steps  in  this  process  are: 

First,  it  is  necessary  to  obtain  automated  award¬ 
ee  financial  and  program  data  and  compare  that  to 
agency  data.  By  obtaining  large  amounts  of  data 
(e.g.,  the  general  ledgers  for  all  awards  from  a  par¬ 
ticular  Institution)  and  comparing  an  awardee’s  data 
to  agency  data,  it  is  possible  to  identify  quickly  and 
efficiently  any  discrepancies  that  exist.  Further,  by 
using  automated  techniques,  this  process  includes 
a  100  percent  automated  review  of  the  transaction- 
level  data  for  awards  from  that  agency.  The  dis¬ 


crepancies  indicate  the  areas  in  which  to  focus  at¬ 
tention.  For  example,  if  there  are  large  differences 
between  amounts  of  expenditures  recorded  in  the 
general  ledger  for  a  particular  project  grant  and  the 
amount  reported  to  the  agency  for  that  grant,  that 
grant  would  at  least  warrant  further  scrutiny. 

Although  comparing  general  ledgers  to  spend¬ 
ing  reports  submitted  to  the  agency  are  routine 
audit  steps,  automating  the  process  would  enable 
the  selection  of  potentially  higher-risk  grants  at 
the  outset,  whereas  in  traditional  audit  processes, 
the  comparison  of  grantee  and  agency  data  occurs 
after  particular  grants  are  selected  for  audits  based 
on  other  criteria,  such  as  large  dollar  amounts  in 
known  high-risk  budget  categories. 

Second,  it  is  necessary  to  perform  analytics 
on  awardee  data  to  look  for  anomalies,  such  as  the 
unusual  spending  patterns  presented  in  the  Grant 
Risks  Throughout  the  Award  Cycle  section  and  il¬ 
lustrated  in  the  Conceptual  Framework  for  Grant 
Oversight  chart.  Obtaining  grantee  data  can  iden¬ 
tify  transactions  that  may  circumvent  the  require¬ 
ment  to  return  unused  funds  to  the  agency,  such  as 
cost  transfers  from  expiring  awards  to  awards  that 
are  open  or  expenditures  of  unused  funds  at  the 
end  of  the  grant  for  budget  categories  that  did  not 
support  the  work  of  the  grant. 

Automated  analytical  tests  of  general  ledger  in¬ 
formation  can  uncover  questionable  expenditures 
that  review  teams  can  perform  in-depth  testing  on 
to  determine  what  is  allowable,  allocable  and  rea¬ 
sonable.  Large  operational  equipment  purchases 
near  the  end  of  a  grant’s  expiration  date  are  a  strong 
indicator  that  funds  are  not  being  used  for  the 
purposes  of  the  grant.  Excessive  and  inappropri¬ 
ate  travel  expenditures  are  also  visible  in  institu¬ 
tion  general  ledger  information,  such  as,  frequent 
foreign  travel  with  first-class  seating  and  high-end 
lodging  accommodations.  Analytics  can  also  dis¬ 
cover  expenditures  charged  to  one  federal  agency’s 
grants  that  are  actually  for  other  federal  awards  re¬ 
ceived  by  that  same  institution.  Testing  can  be  con¬ 
ducted  to  identify  excessive  cash  draws  early  in  the 
award  that  institutions  use  for  purposes  not  related 
to  the  grant.  This  is  important  because  federal  grant 
funds  are  not  intended  to  provide  institutions  with 
an  interest-free  line  of  credit  to  fund  other  activi¬ 
ties. 

Indeed,  testing  an  institution’s  general  ledger 
data  against  agency  information  can  provide  im- 
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portant  award  expenditure  information  that  would 
not  surface  using  traditional  grant  auditing  tech¬ 
niques.  This  occurs  because  using  automated  tools 
and  techniques  allows  a  100-percent  review  of  the 
data  and  provides  a  powerful  way  to  surface  poten¬ 
tial  misuse  of  federal  funds.  A  100-percent  review 
is  in  contrast  to  the  traditional  financial-assistance 
audit  that  uses  statistical-sampling  approaches, 
which  would  result  in  examining  fewer  transactions 
and  lower- questioned  costs.  Testing  against  exter¬ 
nal  data  also  helps  corroborate  and  validate  risk 
areas  identified  through  earlier  comparisons  with 
the  A- 133  FAC,  D&B,  SAM  and  EPLS  databases. 
By  comparing  agency  financial  and  program  data 
against  external  data  sources  and  the  institutions 
general  ledger  data,  offices  of  inspectors  general  can 
provide  greater  oversight  of  federal  funds  at  an  in¬ 
stitution. 

CONCLUSION 

In  summary,  using  data  analytics  throughout  the 
grant  life  cycle  can  provide  oversight  organizations 
with  greater  visibility  and  insight  into  how  institu¬ 
tions  are  using  federal  funds  resulting  in  greater 
accountability  and  transparency.  Data  analysis  of 
agency  award  information,  combined  with  available 
external  and  awardee  data  can  help  identify  higher 
risk  institutions  for  planning  purposes  as  well  as 
surface  anomalous  and  questionable  grant  expen¬ 
ditures  during  audit  work.  While  offices  of  inspec¬ 
tors  general  can  enhance  their  oversight  using  the 
framework  for  grant  oversight,  other  oversight  or¬ 
ganizations  within  federal  agencies  can  also  benefit 
from  the  approach.  Collectively,  these  organizations 
can  provide  greater  assurance  to  the  public  that 
government  funds  are  being  used  appropriately,  so 
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DoD  Efforts  to  Achieve  Audit  Readiness 
and  Obtain  an  Unqualified  Opinion 


By  James  Davis  Jr 

The  Department  of  Defense  is  currently  unable 
to  obtain  any  opinion,  let  alone  an  unqualified 
opinion,1 2 3 4  on  its  financial  statements  because  it  is 
not  “audit  ready.”  Why  is  achieving  auditability 
important?  “The  need  to  produce  a  financial  state¬ 
ment  and  achieve  a  clean  audit  opinion”  leads  to 
better  financial  management.  Financial  statements 
are  a  documented  form  of  transparency  and  ac¬ 
countability.  Certainly,  “transparency  and  accessi¬ 
bility  of  public  information  in  the  promotion  and 
maintenance  of  public  sector  accountability”  is  of 
great  concern  to  public  administration  and  man¬ 
agement  scholars. 

However,  these  scholars  as  well  as  the  Ameri¬ 
can  public  could  learn  from  the  use  of  financial 
reports.  Public  officials  are  to  be  proper  stewards 
of  the  citizens’  trust  and  resources.  In  these  tough 
economic  times,  senior  leaders  need  to  make  dif¬ 
ficult  budgetary  decisions  based  upon  reliable, 
timely  information.  Therefore,  outside  observers, 
like  the  American  taxpayer,  should  be  knowledge¬ 
able  about  how  civil  servants  at  DoD  spend  their 
tax  dollars.  We  all  have  a  vested  interest  in  achiev¬ 
ing  a  successful  outcome.  Yet,  studies  suggest  that 
decision-makers  do  not  use  federal  financial  state¬ 
ments  to  make  decisions,  and  that  DoD’s  problem 
with  CFO  Act  compliance  can  be  traced  back  to 
accounting  practices  and  philosophies  under  Sec¬ 
retary  McNamaras  administration. 


1 )  According  to  Wikipedia,  an  unqualified  opinion  is  an  opinion  when  "the  auditor 
concludes  that  the  financial  statements  give  a  true  and  fair  view  in  accordance  with  the 
financial  reporting  framework  used  for  the  preparation  and  presentation  of  the  financial 
statements"  (Retrieved  from  en.wikipedia.org/wiki/,  p.  1 ,  searched  January  through  March 
2012). 

2)  Brook,  D.,  (2010).  Audited  Financial  Statements  in  the  Federal  Government:  Intentions, 
Outcomes  and  On-going  Challenges  for  Management  and  Policy-making.  Journal  of 
Public  Budgeting,  Accounting  &  Financial  Management,  22(1),  p.61 . 

3)  Kioko,  S.,  Marlowe  J.,  Matkin,  D.,  Moody,  M.,  Smith  D.,  and  Zhao,  Z.  (201 1 ).  Why  Public 
Financial  Management  Matters.  Journal  of  Public  Administration  Research  and  Theory,  21, 
p.  il  16. 

4)  Hanks,  C.,  (2009).  Financial  Accountability  at  the  DoD:  Reviewing  the  Bidding,  pp. 

184-6. 


Nevertheless,  DoD  has  continually  been  given 
a  disclaimer  on  its  financial  statements,  due  to  at 
least  13  uncorrected  material  weaknesses  in  the 
areas  of  financial  management  and  feeder  systems, 
Fund  Balance  with  Treasury,  Accounts  Receivable, 
Inventory,  and  General  Property,  Plant  and  Equip¬ 
ment.  Since  DoD  as  an  agency  is  material  to  the 
overall  federal  government,  the  federal  government 
cannot  obtain  an  opinion  on  its  consolidated  finan¬ 
cial  statements.  In  addition,  once  DoD  is  auditable 
and  obtains  an  unqualified  opinion,  the  DoD  would 
be  “better  positioned  to  have  accurate  and  timely 
information  on  a  daily  basis  to  ensure  that  every 
dollar  supports  the  warfighters,  improves  military 
readiness  and  is  readily  available  to  key  decision 
makers.”  Therefore,  achieving  audit  readiness  is  of 
the  utmost  importance. 

EVIDENCE  (CAUSES) 

DoD,  as  a  whole,  has  never  achieved  an  unqualified 
opinion  on  its  financial  statements,  because  it  is 
not  “audit  ready.”  GAO  reported  that  “DoD  finan¬ 
cial  management  has  been  on  GAO’s  high-risk  list 
since  1995,  and  despite  several  reform  initiatives,  it 
remains  on  the  list  today.” 

DoD  is  not  ready  for  a  full  financial  statement 
audit  because  of  the  following: 

•  Changes  in  leadership  and  priorities. 

•  Lack  of  an  effective  plan  to  address  internal 
control  weaknesses. 

•  Lack  of  an  adequately  trained  financial 
management  workforce. 

•  Ineffective  “accountability  and  oversight.” 


5)  Department  of  Defense  Agency  Financial  Report  for  FY  2010 ,  p.  32,  and  Blair,  D.,  (201 1). 
Statement  of  Daniel  R.  Blair,  Deputy  Inspector  General  for  Auditing,  DoDIG,  before  the 
Subcommittee  on  Government  Organization,  Efficiency  and  Financial  Management, 
Committee  on  Oversight  and  Government  Reform,  on  "Financial  Management  and 
Internal  Control  Challenges  at  the  Department  of  Defense,"  pp.  3  &  1 9. 

6)  GAO-1 1 -864T  (201 1 ).  DoD  Financial  Management:  Numerous  Challenges  Must  Be  Ad¬ 
dressed  to  Achieve  Auditability,  p.  1 . 
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•  Lack  of  a  “well-defined  enterprise 
architecture.” 

•  Delays  in  enterprise  resource  planning  system 
implementation. 

The  Brook  Study  found  that  many  agencies 
“achieved  clean  audit  opinions  by  applying  extraor¬ 
dinary  effort  to  key  problem  areas.”  Extraordinary 
effort  was  defined  as  “the  employment  of  large 
numbers  of  personnel  to  accomplish  tasks  that  the 
current  systems  and  procedures  cannot  manage.” 
Examples  cited  include  “assigning  task  forces  of 
extra  personnel,  hiring  contractors,  etc.”  However, 
“heroic  effort”  could  be  “expensive  and  difficult 
to  sustain.”  Therefore,  gaining  and  maintaining  a 
clean  opinion  may  not  be  an  option. 

"...  o6Cigations  made  during 
execution  to  provide  for  nationa[ 
security  in  the  future,  not  the 
historicaC  costs  tracked  6y  private 
sector-sty [efinanciah  accounting.  ” 

GAO  noted  that  “improvements  to  DoD  finan¬ 
cial  management  would  require  the  involvement 
of  DoD  operations  performing  other  business 
functions  that  interact  with  financial  manage¬ 
ment,  which  includes  higher-risk  areas  in  contract 
management,  supply  chain  management,  support 
infrastructure  management,  and  weapons  system 
acquisition.”  DoD  officials  acknowledged  that 
“sustained  and  active  involvement  by  the  DoD’s 
chief  management  officer,  the  deputy  chief  man¬ 
agement  officer,  the  military  departments’  chief 
management  officers,  the  DoD  comptroller  and 
other  senior  leaders  is  critical.”  GAO  indicated  that 
“within  every  administration,  there  are  changes 
at  the  senior  leadership.”  Therefore,  involvement 
across  DoD  and  at  all  levels  is  necessary  for  achiev¬ 
ing  a  positive  outcome. 

Still,  Dr.  Christopher  Hanks,  a  defense  ana¬ 
lyst,  repeats  the  argument  first  made  by  former 

7)  Ibid. 

8)  Brook,  D.,  (2001).  Audited  Financial  Statements:  Getting  and  Sustaining  "Clean" 
Opinions,  p.  34. 

9)  GAO-1 1 -864T  (201 1 ).  DoD  Financial  Management:  Numerous  Challenges  Must  Be  Ad¬ 
dressed  to  Achieve  Auditability,  p.  10 

10)  Ibid. 


DoD  Comptroller  Robert  Anthony  that  the  DoD’s 
decision-making  is  more  driven  by  “world  events, 
politics  and  the  budget.”  Hanks  makes  an  addi¬ 
tional  argument  that  DoD  would  focus  on  address¬ 
ing  “obligations  made  during  execution  to  provide 
for  national  security  in  the  future,  not  the  histori¬ 
cal  costs  tracked  by  private  sector-style  financial 
accounting.”  Although  Hanks  suggests  that  DoD 
should  move  toward  a  managerial  accounting  ap¬ 
proach  to  aid  internal  users  to  control  costs,  he  also 
points  out  that  the  Association  of  Government  Ac¬ 
countants’  2008  CFO  Survey  revealed  that  federal 
executives  and  managers  do  not  use  financial  state¬ 
ments  to  make  decisions.  Therefore,  senior  lead¬ 
ers  at  DoD  need  to  become  more  involved  in  Chief 
Financial  Officers  Act  compliance. 

According  to  the  Brook  Study,  agencies  with 
demonstrated  senior  leadership  commitment  have 
achieved  more  clean  audit  opinions.  This  was  de¬ 
termined  to  be  “the  single,  most  important  man¬ 
agement  factor  in  achieving  clean  audit  opinions.” 
The  study  concluded  that  “agency  leaders  who 
decide  that  producing  a  reliable  audited  financial 
statement  is  an  organizational  priority  can  direct 
resources  and  energy  into  that  area  and  hold  man¬ 
agers  accountable  for  achieving  that  goal.” 

Secretary  of  Defense  Leon  Panetta,  has  quickly 
become  involved  in  accelerating  the  readiness  ef¬ 
fort.  In  an  October  2011  memorandum,  he  directs 
the  DoD  comptroller  to  “provide  a  plan  to  achieve 
audit  readiness  for  the  Statements  of  Budgetary 
Resources  by  the  end  of  2014,  increase  emphasis 
on  accountability  for  assets,  execute  a  full  review 
of  DoD’s  financial  controls  over  the  next  two  years 
and  establish  interim  goals  to  assess  progress,  en¬ 
sure  mandatory  training  for  audit  and  other  key 
financial  efforts,  and  meet  the  legal  requirement  to 
achieve  full  audit  readiness  for  all  DoD  financial 
statements  by  2017.” 

DoD  is  “responsible  for  establishing,  maintain¬ 
ing  and  assessing  internal  controls  to  provide  rea¬ 
sonable  assurance  that  it  meets  the  requirements 
of  the  Federal  Managers’  Financial  Integrity  Act” 
and  by  complying  with  OMB  Circular  No.  A- 123, 
“Management’s  Responsibility  for  Internal  Control 


1 1 )  Hanks,  C.,  (2009).  Financial  Accountability  at  the  DoD:  Reviewing  the  Bidding,  p.  1 87. 

12)  Ibid,  p.  190. 

13)  Ibid.,  pp.  184&192. 

14)  Brook,  D.,  (2001).  Audited  Financial  Statements:  Getting  and  Sustaining  "Clean" 
Opinions,  pp.  29-30. 

15)  Panetta,  L.  (201 1).  Improving  Financial  Information  and  Achieving  Audit  Readiness 
Memo,  pp.  1-2. 
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in  the  Federal  Government.”  DoD  management 
uses  certain  criteria  for  identifying  material  weak¬ 
nesses.  These  include  meriting  the  attention  of  the 
resident  and  Congress,  impairing  essential  opera¬ 
tions  or  mission  completion,  or  either  noncompli¬ 
ance  or  nonconformance  with  laws  and  regulations 
or  system  requirements.  As  stated  previously, 
DoD  has  identified  at  least  13  uncorrected  mate¬ 
rial  weaknesses  but  does  not  have  a  comprehensive 
plan  to  address  them. 

Another  factor  to  achieving  audit  readiness 
is  for  DoD  leaders  to  ensure  that  personnel  are 
equipped  with  the  knowledge,  skills  and  abili¬ 
ties  necessary  for  attaining  that  objective.  How¬ 
ever,  GAO  reported  that  DoD  had  not  completed 
a  “competency  gap  assessment  in  the  existing  or 
projected  overall  civilian  workforce”  or  a  “plan  of 
action  identifying  recruiting  and  retention  goals.” 
These  were  initially  required  by  the  National  De¬ 
fense  Authorization  Act  for  Fiscal  Year  2006  and 
made  a  permanent  requirement  in  the  Fiscal  Year 
2010  Act.20 


One  of  the  most  important  factors  to  achieving 
audit  readiness  is  for  DoD  leaders  to  ensure  that 
personnel  are  held  accountable  for  achieving  au¬ 
dit  readiness  as  part  of  their  responsibilities.  DoD 
had  created  a  chief  management  officer  position  in 
response  to  limitations  in  “management  respon¬ 
sibility,  accountability  and  control  over  business 
transformation-related  activities  and  applicable 
resources.”  It  wasn’t  until  recently  that  audit  readi¬ 
ness  goals  were  part  of  evaluating  the  performance 
of  senior  executives.  Limited  oversight  and  ac¬ 
countability  could  slow  the  progression  towards 
audit  readiness. 

GAO  has  reported  that  DoD  has  updated  its 
“corporate  enterprise  architecture,”  but  it  hasn’t  ex¬ 
panded  that  effort  by  adding  “complete,  coherent 
subsidiary  architectures”  for  the  individual  DoD 

'  23 

components.  In  addition,  GAO  found  that  DoD 
did  not  have  adequate  policies  and  procedures  for 


1 6)  Department  of  Defense  Agency  Financial  Report  for  FY  201 0,  p.  30. 

17)  Ibid. 

1 8)  GAO-1 1 -864T  (201 1 ).  DoD  Financial  Management:  Numerous  Challenges  Must  Be  Ad¬ 
dressed  to  Achieve  Auditability,  p.  1 1. 

19)  GAO-1 1-827T  (2011).  DoD  Civilian  Personnel: Competency  Gap  Analyses  and  Other 
Actions  Needed  to  Enhance  DoD's  Strategic  Workforce  Plans,  p.  1 . 

20)  House  Armed  Services  Committee  Panel  on  Defense  Financial  Management  and 
Auditability  Reform,  Findings  and  Recommendations,  January  24, 201 2,  p.  1 7. 
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making  investment  decisions  to  address  informa¬ 
tion  technology  and  system  requirements.  There¬ 
fore,  DoD  is  missing  a  complete,  well-defined  ar¬ 
chitecture. 

DoD  personnel  indicated  that  enterprise  re¬ 
source  planning  systems  implementation  is  key  to 
achieving  the  audit  readiness  milestone  of  Sept.  30, 
2017.  However,  GAO  found  issues  with  the  “Army’s 
and  Air  Force’s  new  general  ledger  system.”  The 
issues  included  “operational  problems,  gaps  in  ca¬ 
pabilities  that  required  work-arounds  and  training 
that  was  not  focused  on  system  operation.”  There¬ 
fore,  DoD  needs  to  lessen  the  delays  in  implement¬ 
ing  these  systems  and  ensure  that  the  implementa¬ 
tions  are  done  correctly. 

IDENTIFICATION  AND  ANALYSIS  OF 

ALTERNATIVES 

THE  ALTERNATIVES 

The  alternatives  and  recommended  solutions  as 
identified  by  GAO  and  other  research  are  listed  be¬ 
low: 

Alternative  A —  Maintain  the  Status  Quo 
Alternative  B —  Effective  Plan  to  Correct  Internal 
Control  Weaknesses 

Alternative  C —  Educated  Financial  Management 
Workforce 

Alternative  D —  Accountability  and  Effective 
Oversight 

Alternative  E —  Well-defined  Enterprise 
Architecture 

Alternative  F —  Successful  Implementation  of  the 
Enterprise  Resource  Planning 
Systems 

Alternative  G —  All  of  the  Above  Except 
Alternative  A 

ALTERNATIVE  A:  MAINTAIN  THE  STATUS 
QUO 

DoD  can  continue  on  the  current  path,  where 
“pervasive  deficiencies  in  financial  management 
processes,  systems  and  controls,  and  the  resulting 
lack  of  data  reliability  impair  management’s  ability 
to  assess  the  resources  needed  for  DoD  operations; 
track  and  control  costs;  ensure  basic  accountabil¬ 
ity;  anticipate  future  costs;  measure  performance; 
maintain  funds  control;  and  reduce  the  risk  of  loss 


24)  Ibid.  p.  19. 
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from  fraud,  waste  and  abuse.”  The  current  path 
would  likely  result  in  a  disclaimer  of  opinion,  and 
senior  leaders  would  struggle  to  make  major  bud¬ 
getary  decisions  using  unreliable  information. 

ALTERNATIVE  B:  CORRECT  MATERIAL 
WEAKNESSES 

GAO  indicated  that  “DoD  currently  has  efforts  un¬ 
derway  to  address  known  internal  control  weak¬ 
nesses  through  three  interrelated  programs:  (1) 
Internal  Controls  over  Financial  Reporting,  (2) 
Enterprise  Resource  Planning  Systems  implemen¬ 
tation  and  (3)  the  FIAR  Plan.”  However,  DoD 
has  not  identified  “specific  control  actions”  for  ad¬ 
dressing  all  elements  of  the  FIAR  Plan,  specifically 
those  identified  in  Waves  4  and  5.  GAO  reported 
that  those  actions  pertaining  to  “asset  account¬ 
ability  and  other  financial  reporting  matters”  need 
to  be  identified.  GAO  concluded  that  a  “compre¬ 
hensive  plan  that  identifies  all  of  DoD’s  internal 
control  weaknesses  would  be  critical  to  resolving 
long-standing  weaknesses  and  will  require  consis¬ 
tent  management  oversight  and  monitoring  for  it 
to  be  successful.”  As  mentioned  previously,  Sec¬ 
retary  Panetta  has  also  emphasized  addressing  the 
internal  control  issue  by  requiring  the  execution  of 
a  full  review  of  DoD’s  financial  controls  in  the  next 
two  years  and  establishing  interim  goals  to  assess 
progress. 

DoD  IG  testified  that  DoD’s  poor  internal  con¬ 
trols  put  it  at  risk  of  violating  the  Ant- Deficiency 
Act.  Control  environment  weaknesses  impair 
DoD’s  ability  to  “determine  the  amount  of  funds 


27)  GAO-1 1 -864T  (201 1 ).  DoD  Financial  Management:  Numerous  Challenges  Must  Be  Ad¬ 
dressed  to  Achieve  Auditability,  p.  1. 

28)  Ibid.,  p.  11. 

29)  Ibid. 


available  to  spend,”  leading  to  “potential  over-ob¬ 
ligating  and  over- expending  appropriations.”  DoD 
IG  reported  that  this  condition  was  due  to  a  lack 
of  internal  controls  and  training.  GAO  reached  a 
similar  conclusion. 

ALTERNATIVE  C:  EDUCATED  FINANCIAL 
MANAGEMENT  WORKFORCE 
“Effective  financial  management  in  DoD  will  re¬ 
quire  a  knowledgeable  and  skilled  workforce  that 
includes  personnel  who  are  trained  and  certified 
in  accounting,  versed  in  government  accounting 
practices  and  standards,  and  experienced  in  infor¬ 
mation  technology.”  DoD  has  partially  addressed 
this  need  by  sending  “almost  1,000  DoD  personnel 
to  professional  development  training  that  will  assist 
them  and  their  components  in  achieving  the  FIAR 
goal  of  auditable  financial  statements  and  to  sustain 
audit  readiness  through  effective  internal  controls.” 
The  curriculum  was  to  enhance  “knowledge  and 
understanding  of  the  FIAR  goals  and  priorities.” 
In  addition,  the  fiscal  year  2012  National  Defense 
Authorization  Act  addresses  the  establishment  of 
a  “DoD  Financial  Management  Certification  Pro¬ 
gram  for  DoD’s  financial  management  workforce.” 
The  goals  of  this  effort  are  to — 

•  “Advance  the  professionalism  of  the  DoD 
financial  management  workforce. 

•  Strengthen  public  confidence  in  DoD  financial 
management  by  improving  the  financial 
management  workforce’s  capabilities  in  audit 
readiness  and  analytics. 

•  Broaden  the  competencies  and  experience  of 
the  financial  management  workforce  of  other 
DoD  business  operations.” 

The  DoD  Financial  Management  Certification  Pro¬ 
gram  is  presumed  to  be  a  major  force  for  “achieving 
and  sustaining  the  DoD’s  FIAR  goal  of  auditable 
financial  statements  by  increasing  the  competen¬ 
cies  and  capabilities  of  the  financial  management 
workforce.”  Secretary  Panetta  also  required  the 
implementation  of  a  pilot  certification  program  for 
financial  managers  in  his  Oct.  13,  2011,  memo.  In 

30)  House  Armed  Services  Committee  Panel  on  Defense  Financial  Management  and 
Auditability  Reform,  Findings  and  Recommendations,  January  24, 201 2,  p.  21 . 
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addition,  political  scientist  Paul  C.  Light  has  sug¬ 
gested  a  “capacity-based  accountability”  by  “build¬ 
ing  organizations  that  are  staffed,  trained,  struc¬ 
tured  and  equipped  to  be  effective”  and  advocated 
for  “organizational  competence.” 

DoD  IG  has  also  embarked  on  a  similar  mea¬ 
sure  by  upgrading  and  reemphasizing  its  internal 
certification  programs,  notably  its  Certified  De¬ 
fense  Financial  Auditor  designation.  The  Army 
Comptroller  CP- 11  Program  is  an  example  of  a 
Service  Agency’s  dedication  to  improving  financial 
management  and  shares  an  emphasis  in  acquiring 
professional  certifications  and  master’s  degrees,  as 
well  as  gaining  experience  through  developmental 
assignments.  By  broadening  their  knowledge  and 
experiences,  DoD  personnel  will  be  able  to  solve 
complex  issues  directly  or  indirectly  linked  to  audit 
readiness  regardless  of  their  expertise. 

After  developing  these  skill  sets,  DoD  IG  au¬ 
ditors  and  DoD  financial  managers  may  find  ways 
to  resolve  issues  without  impairing  independence. 
Agencies  “with  positive  working  partnerships 
between  financial  managers  and  auditors  have 
achieved  more  clean  audit  opinions.”  Collabora¬ 
tive  arrangements  such  as  “joint  meetings  through¬ 
out  the  year,  defining  problems  and  proposing  solu¬ 
tions,  interim  reviews  and  negotiated  agreements” 
were  cited  as  possible  examples.  In  addition,  “au¬ 
ditor  independence  is  not  impaired  when  offering 
routine  advice  or  answering  technical  questions.” 
Perhaps,  short-term  line  item,  management  con¬ 
trols  or  financial-related  performance  audits  could 
be  considered. 

In  addition,  agencies  “with  positive  coopera¬ 
tive  arrangements  between  financial  and  line  and 
functional  managers  have  achieved  more  clean 
audit  opinions.”  Therefore,  by  implementing  the 
DoD  certification  program,  DoD  financial  and 
nonfinancial  managers  will  become  knowledgeable 
of  everyone’s  role  in  achieving  audit  readiness. 
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ALTERNATIVE  D:  ACCOUNTABILITY  AND 
EFFECTIVE  OVERSIGHT 
DoD  “established  a  governance  structure  for  the 
FIAR  Plan,  which  includes  review  bodies  for  gov¬ 
ernance  and  oversight.  To  monitor  progress  and 
hold  individuals  accountable  for  progress,  DoD 
managers  and  oversight  bodies  need  reliable,  val¬ 
id,  meaningful  metrics  to  measure  performance 
and  the  results  of  corrective  actions.”  GAO  stated 
that  “effective  oversight  holds  individuals  account¬ 
able  for  carrying  out  their  responsibilities.”  DoD 
has  taken  steps  by  introducing  incentives  “such  as 
including  FIAR  goals  in  Senior  Executive  Service 
Performance  Plans.”  A  second  incentive  entails 
“increased  reprogramming  thresholds  granted  to 
components  that  receive  a  positive  audit  opinion 
on  their  Statement  of  Budgetary  Resources.”  A 
third  incentive  involves  the  funding  of  audit  costs 
“by  the  Office  of  the  Secretary  of  Defense  after  a 
successful  audit.”  A  final  incentive  is  “publicizing 
and  rewarding  components  for  successful  audits.” 
The  question  now  is  whether  the  current  metrics 
are  sufficient  in  achieving  meaningful  results. 

“Agencies  with  the  most  reporting  entities  tend 
to  have  the  fewest  clean  audit  opinions.”  “The  CFO 
Act  does  not  require  audits  of  reporting  entity  fi¬ 
nancial  statements,”  but  many  agencies  do  require 
the  independent  audit  of  their  respective  reporting 
agencies’  financial  statements.  DoD  had  twenty- 
six  reporting  entities.  The  DoD  could  consoli¬ 
date  some  of  the  reporting  entities  to  simplify  the 
reporting  process.  “CFOs  with  oversight  of  core 
financial  management  functions  have  more  clean 
opinions  than  other  CFOs.”  CFOs  should  have 
authority  over  “budget  formulation,  and  execu¬ 
tion,  financial  operations  and  analysis,  and  finan¬ 
cial  systems  to  comply  with  the  CFO  Act.”  “CFOs 
should  not  have  additional  responsibilities  that 
distract  them  from  financial  management,  such  as 
agencywide  information  resource  management, 
personnel,  procurement,  grants  management  and 
agency  administration.”  It  appears  that  the  DoD 
comptroller  does  have  control  over  the  three  main 
financial  management  functions  and  not  over  “dis- 
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tracting”  functions.  Therefore,  these  responsibili¬ 
ties  should  not  be  an  issue. 

ALTERNATIVE  E:  WELL-DEFINED 
ENTERPRISE  ARCHITECTURE 
GAO  has  continually  designated  DoD’s  business 
systems  modernization  program  as  high  risk  since 
1995.  Between  2001  and  2005,  GAO  reported  that 
the  “modernization  program  had  spent  hundreds 
of  millions  of  dollars  on  an  enterprise  architecture 
and  investment  management  structures  that  had 
limited  value.”  Congress  passed  the  Ronald  W.  Rea¬ 
gan  National  Defense  Authorization  Act  for  Fiscal 
Year  2005  that  was  consistent  with  GAO  recom¬ 
mendations  regarding  the  issue.  In  addition,  the 
military  departments’  architecture  programs  con¬ 
tinue  to  have  scope  and  completeness  limitations 
and  maturity  issues.  GAO  indicated  these  depart¬ 
ments  still  lack  a  “fully- developed  enterprise  ar¬ 
chitecture  methodology  or  a  well-defined  business 
enterprise  architecture  and  transition  plan  to  guide 
and  constrain  business  transformation  initiatives.” 
Furthermore,  the  “DoD  enterprise  and  the  mili¬ 
tary  departments’  approaches  to  business  systems 
investment  management”  are  missing  “the  policies 
and  procedures  for  effective  investment  selection, 
control  and  evaluation”  methodologies.  This  alter¬ 
native  would  mandate  implementation  of  modern¬ 
ization  controls. 


“QJLO  has  continuatfy  designated 
C Do(D ’s  business  systems 
modernization  program  as  high 
rish  since  1995.  ” 


In  addition,  “agencies  that  made  positive  re¬ 
source  allocations  to  the  effort  have  achieved  more 
clean  audit  opinions.”  The  Brook  Study  found  that 
the  two  most  important  components  are  “positive 
application  of  personnel  and  money  and  insulating 
financial  management  from  the  effects  of  down¬ 
sizing  and  resource  constraints.”  Business-process 
improvements  were  noted  due  to  the  reassignment 
of  staff  “from  lower  priority  duties  to  work  on  the 


47)  GAO-11 -864T  (2011).  DoD  Financial  Management:  Numerous  Challenges  Must  Be 
Addressed  to  Achieve  Auditability,  pp.  1 3-4. 


financial  statements.  In  his  Oct.  13,  2011,  memo, 
Secretary  Panetta  directed  the  DoD  comptroller  to 
provide  a  plan  to  include  resourcing  the  efforts  to 
meet  the  goals. 


ALTERNATIVE  F:  SUCCESSFUL 
IMPLEMENTATION  OF  THE  ENTERPRISE 
RESOURCE  PLANNING  SYSTEMS 
DoD  has  invested  “billions  of  dollars  and  will  con¬ 
tinue  to  invest  billions  more  to  implement  the  En¬ 
terprise  Resource  Planning  System.”  DoD  person¬ 
nel  have  acknowledged  that  the  ERPS  are  essential 
in  “transforming  DoD  business  operations,  includ¬ 
ing  financial  management,  and  in  improving  DoD’s 
capability  for  providing  management  and  Congress 
with  accurate  and  reliable  information”  as  it  per¬ 
tains  to  the  agency’s  operations.  These  ERPS  are 
to  “replace  over  500  legacy  systems,”  and  therefore 
will  address  other  operational  weaknesses  in  DoD 
and  would  also  produce  savings.  GAO  reported 
that  DoD  “has  not  effectively  employed  acquisition 
management  controls”  to  ensure  that  the  ERPS 
deliver  the  expected  capabilities  on  schedule  and 
within  budget.  Delays  in  implementing  the  ERPS 
would  extend  the  use  and  funding  of  duplicative 
systems,  which  would  then  decrease  potential  sav¬ 
ings  that  could  be  applied  more  effectively  else¬ 
where. 

“Agencies  with  the  most  financial  management 
systems  have  the  fewest  clean  audit  opinions.” 
Thus,  the  importance  of  reducing  the  outdated  sys¬ 
tems  can  be  linked  to  a  “clean”  audit  opinion.  In 
addition,  “many  agencies  achieved  clean  opinions 
by  employing  short-term,  “work-around”  systems 
solutions.”  DoD  leaders  could  build  a  temporary, 
separate  financial  information  system  that  would 
serve  only  the  information  needs  of  financial  state¬ 
ments  until  the  fully  integrated  system  is  opera¬ 
tional.  This  may  be  viable  as  ERPS  are  expensive 
and  subject  to  improvement.  Objective:  To  deter¬ 
mine  whether  any  Railroad  Medicare  providers 
fraudulently  billed  for  emergency  transportation  to 
routine  dialysis  or  physical  therapy  appointments. 
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ALTERNATIVE  G:  COMBINATION  OF 
ALTERNATIVES  B  THROUGH  F 
Each  issue  identified  as  an  alternative  under 
Alternatives  B  through  F  represents  one  part  of 
the  solution.  Therefore,  DoD  should  implement 
Alternatives  B  through  F  to  achieve  audit  readiness 
as  noted  by  GAO.  Assuming  a  committed 
leadership  is  in  place,  DoD  personnel  need  to 
address  the  problems  pertaining  to — 

•  Developing  an  “effective  plan  to  correct 
internal  control  weaknesses.” 

•  Ensuring  an  educated  “financial  management 
workforce.” 

•  Ensuring  “accountability  and  effective 
oversight.” 

•  Ensuring  a  “well-defined  enterprise 
architecture.” 

•  Ensuring  the  “successful  implementation  of  the 
enterprise  resource  planning  systems.” 

Therefore,  DoD  should  improve  its  management 
control  program  by  developing  an  effective  plan 
to  correct  the  identified  weaknesses.  DoD  needs  to 
ensure  that  its  financial  and  nonfinancial  managers 
are  adequately  trained  as  to  what  senior  leadership’s 
expectations  are,  as  well  as  how  the  managers’  ef¬ 
forts  contribute  to  audit  readiness  success.  DoD  se¬ 
nior  leaders  should  hold  personnel  accountable  for 
achieving  audit  readiness  and  establish  and  main¬ 
tain  effective  oversight  so  that  milestones  are  not 
missed.  DoD  management  should  improve  upon 
its  enterprise  architecture  policies  and  give  exten¬ 
sive  consideration  to  ERPS  implementation. 

RECOMMENDED  APPROACH 
Best  Alternative:  G  (Combination) 

After  considering  GAO’s  and  Congress’  recommen¬ 
dations,  as  well  as  the  Brook  and  Wiese  Studies,  and 
weighing  all  of  the  alternatives  and  outcomes,  it  was 
determined  that  Alternative  G  was  the  best  choice. 
It  minimized  the  differences  among  the  trade-offs 
and  minimized  the  opportunity  costs.  Under  the 
shared  assumptions  that  leadership  commitment 
is  the  driving  force,  we  can  then  conclude  that  the 
other  alternatives  (with  the  exception  of  Alterna¬ 
tive  A)  would  be  practical. 
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IMPLEMENTATION  STRATEGY 
Assuming  DoD  has  a  committed  and  sustained 
leadership  in  place,  DoD  then  needs  to  establish 
effective  oversight  and  accountability.  Account¬ 
ability  and  oversight  should  be  relatively  easy  to 
implement,  and  DoD  has  already  established  a  gov¬ 
ernance  structure  for  the  Financial  Improvement 
Audit  Readiness  Plan.  However,  GAO  found  that 
the  senior  governance  officials,  including  the  desig¬ 
nated  senior  executive  committees,  were  ineffective 
and  inadequate.  Therefore,  DoD  leaders  need  to 
make  the  effort  necessary  to  meet  their  audit  readi¬ 
ness  responsibilities.  Implementing  policies  and 
procedures  requires  the  support  of  DoD  leaders  to 
enforce  corrective  actions.  Updates  to  the  systems 
would  require  additional  funding  for  implementa¬ 
tion. 

DoD  should  develop  a  comprehensive  correc¬ 
tive  action  plan  to  address  its  material  weakness¬ 
es.  Timelines  for  implementing  effective  controls 
should  be  reported  in  future  FIAR  Plan  status  re¬ 
ports.  Then,  DoD  leaders  should  allocate  resources, 
whether  it  is  for  staff,  funds,  making  system  modi¬ 
fications,  performing  analyses,  reevaluating  meth¬ 
odologies  or  improving  processes  and  procedures 
to  correct  the  material  weaknesses. 

DoD  leaders  will  then  need  to  establish  depart¬ 
ment  committees  with  responsibility  and  account¬ 
ability  for  the  enterprise  architecture.  They  need  to 
ensure  that  methodologies,  plans  and  procedures 
for  making  architectural  and  investment  decisions 
are  thoroughly  defined  and  detailed. 

DoD  leaders  will  need  to  assess  the  critical  skills 
and  competencies  of  the  existing  civilian  work¬ 
force,  the  future  critical  skills  and  competencies 
desired  over  the  next  decade,  and  identifying  the 
gaps  under  each  assessment.  Then,  senior  leaders 
should  budget  for  hiring,  training  and  continually 
educating  the  staff  on  financial  management  mat¬ 
ters.  DoD  is  already  implementing  a  certification 
program  similar  to  the  one  used  for  the  acquisition 
workforce,  and  it  establishes  various  competency 
levels.  It  is  also  exploring  an  exchange  program 
with  the  private  sector  Best  practices  and  compe¬ 
tencies  will  be  shared. 

55)  GAO-1 1  -85 1  (201 1 ).  DoD  Financial  Management:  Improvement  Needed  in  DoD  Com¬ 
ponents'  Implementation  of  Audit  Readiness  Efforts,,  pp.  1  &  25  and  House  Armed  Services 
Committee  Panel  on  Defense  Financial  Management  and  Auditability  Reform, 

Findings  and  Recommendations,  January  24, 201 2,  p.  1 7. 

56)  GAO-1 1 -864T  (201 1 ).  DoD  Financial  Management:  Numerous  Challenges  Must  Be  Ad¬ 
dressed  to  Achieve  Auditability,  p.  14. 

57)  House  Armed  Services  Committee  Panel  on  Defense  Financial  Management  and 
Auditability  Reform,  Findings  and  Recommendations,  January  24, 201 2,  p.  31 . 
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After  leadership  involvement,  oversight,  a  plan 
for  correcting  material  weaknesses,  enterprise  ar¬ 
chitectural  policies  and  training  programs  have 
been  implemented,  DoD  senior  leaders  need  to  ad¬ 
dress  the  system  side  by  developing  or  modifying 
ERPS  to  improve  the  output  of  reliable  and  accurate 
information.  It  appears  that  history  has  indicated 
several  ERPS  have  not  followed  practical  project 
management  principles  because  their  capabilities 
may  not  be  on  time  or  within  budget.  These  include 
the  Army’s  General  Fund  Enterprise  Business  Sys¬ 
tem  and  the  Air  Force’s  Expeditionary  Combat  Sup¬ 
port  System,  which  have  encountered  delays  and  in¬ 
creased  costs.  The  outdated  systems  that  the  ERPS 
were  to  replace  are  still  being  utilized  and  funded. 
DoD  IG  renders  the  ERPS’  effectiveness  as  ques¬ 
tionable.  Therefore,  the  DoD  should  ensure  that  it 
is  getting  its  “bang  for  its  buck”  by  taking  a  harder 
look  at  the  processes  and  procedures  for  develop¬ 
ing  and  funding  its  ERPS  requirements.  The  House 
Armed  Services  Committee  Panel  on  DoD’s  Audit 
Readiness  recommended  that  DoD  assess  even  its 
“decision-making  process  regarding  ERPS  require¬ 
ments  at  every  level  of  authority.”  Implementation 
would  not  be  easy.  However,  DoD  could  implement 
temporary  “work-arounds”  to  comply  with  Panet- 
ta’s  new  mandated  deadlines. 

To  implement  this  strategy,  DoD  leaders  should 
consider  the  recommendations  of  Congress  and 
GAO.  Each  step  of  this  process  involves  various 
degrees  of  ease  in  implementing  them.  Since  the 
previous  and  current  secretaries  of  defense  have 
responded  to  the  growing  political  demands  of 
improving  DoD’s  financial  management  by  taking 
some  action,  we  should  then  expect  that  these  ef¬ 
forts  would  assist  in  expediting  DoD’s  readiness 
goals. 

CONCLUSION 

DoD  has  struggled  since  the  implementation  of 
the  CFO  Act  to  achieve  audit  readiness.  Some  have 
argued  that  either  the  accounting  policies  of  Mc¬ 
Namara’s  Pentagon,  the  lack  of  leadership  commit¬ 
ment,  the  number  of  systems,  missing  competencies 
or  awareness,  the  number  of  material  weaknesses 
and  other  issues  have  been  the  causes  for  this  di¬ 
lemma.  In  addition,  even  if  DoD  achieves  auditabil¬ 


58)  Ibid.,  pp.  34-9. 

59)  Ibid.,  p.  18. 

60)  Ibid.  p.  44. 


ity,  the  battle  is  not  over.  In  some  ways,  it  has  just 
begun.  After  becoming  auditable  and  obtaining  an 
opinion  on  its  financial  statements,  DoD  needs  to 
be  in  a  position  to  sustain  that  opinion.  DoD  may 
not  achieve  the  unqualified  “clean”  audit  opinion 
the  first  go  round,  since  a  qualified  opinion  is  also 
likely.  Nevertheless,  by  implementing  the  proposed 
solution,  which  is  supported  by  both  Congress  and 
GAO,  DoD  should  achieve  audit  readiness.  How¬ 
ever,  it’s  still  too  early  to  tell  whether  sustaining  an 
opinion  and  obtaining  a  clean  opinion  are  viable. 

DoD,  GAO,  DoD  IG  and  other  observers  and 
stakeholders  have  published  a  plethora  of  literature 
that  addresses  either  specifically  or  contextually  the 
importance  of  DoD’s  audit  readiness.  DoD  has  is¬ 
sued  its  FIAR  Plan  as  a  road  map  to  achieving  au¬ 
ditability.  The  GAO  and  DoD  IG  have  addressed 
what  they  see  as  stumbling  blocks  to  that  goal.  Con¬ 
gress  has  taken  interest  and  wants  to  ensure  that  the 
DoD  stays  focused  in  its  efforts.  Further  investiga¬ 
tion  should  be  considered  in  determining  the  costs 
involved  in  meeting  those  requirements,  so  that  a 
fair  cost-benefit  analysis  can  be  done.  Also,  how 
does  DoD  compare  to  some  of  the  largest  corpo¬ 
rations  in  America?  The  legendary  Greek  math¬ 
ematician  Pythagoras,  known  for  his  theorem  of 
triangles,  believed  that  the  world’s  problems  could 
be  solved  with  numbers.  Can  the  same  be  said  for 
DoD?  How  can  audit  readiness  help  improve  the 
current  budget  crisis?  Initially,  as  I  considered  al¬ 
ternatives  to  the  status  quo,  my  thought  was  to  de¬ 
termine  how  DoD  would  achieve  other  opinions  on 
its  financial  statements  assuming  that  the  current 
disclaimer  wasn’t  feasible  and  the  ideal  unqualified 
opinion  wasn’t  reachable.  However,  after  conclud¬ 
ing  my  research,  I  determined  that  evaluating  the 
agreed-upon  solutions  to  achieving  audit  readiness 
first,  rather  than  the  ultimate  goal  of  a  clean  opin¬ 
ion,  may  be  the  more  reasonable  approach,  so 


61 )  Huffman,  Carl,  "Pythagoras",  The  Stanford  Encyclopedia  of  Philosophy  (Fall  20 1 1  Edition), 
Edward  N.  Zalta  (ed.),  URL  =  http://plato.stanford.edu/archives/fall201 1/entries/pythago- 
ras/.  Retrieved  April  16, 2012,  p.  1 . 
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Inspectors  General  Auditing  Strategies  for 
Federal  Executive  Branch  Agencies  in  Light  of 
Unfunded  Mandates 


By  Loralee  Bennett 

An  unfunded  mandate  is  generally  defined  as  a 
law  passed  by  the  federal  government  that  requires 
states,  local  governments  or  nongovernmental 
agencies  to  perform  an  action  for  which  the  fed¬ 
eral  government  has  provided  no  money  to  take 
the  required  action.  Congress,  recognizing  this 
was  a  problem,  passed  the  Unfunded  Mandates 
Reform  Act  of  1995  to  “curb  the  practice  of  impos¬ 
ing  unfunded  federal  mandates  on  states  and  local 
governments.”  However,  prior  to  passage  of  the 
UMR  Act,  there  was  a  more  expansive  definition 
of  an  unfunded  mandate.  Specifically,  an  unfunded 
mandate  referred  “to  a  requirement  that  a  unit  of 
government  imposes  without  providing  funds  to 
pay  for  costs  of  compliance.”  However,  with  the 
more  limited  definition  that  has  come  to  promi¬ 
nence  since  the  passage  of  the  UMR  Act,  there  is  an 
often  forgotten  recipient  of  unfunded  congressio¬ 
nal  mandates  once  covered  under  the  definition — 
federal  executive  branch  agencies. 


1)  Wise  Geek.  (1995).  Wise  Geek.  Retrieved  October  13, 201 1,from  Unfunded  Mandate: 
http://www.wisegeek.com/what-is-an-unfunded-mandate.htm. 

2)  Congress.  (1995,  March  22).  Public  Law  104.  Retrieved  October  13, 201 1,  from 
Government  Printing  Office:  http://www.gpo.gov/fdsys/pkg/PLAW-104publ4/pdf/PLAW- 
104publ4.pdf. 

3)  Bea,  K.,  &  Beth,  R.  S.  (2005).  Unfunded  Mandates  Reform  Act  Summarized  (RS20058). 
Washington  DC:  Congressional  Research  Service. 


While  Congress  passes  a  wide  range  of  laws, 
these  laws  are  “primarily  aimed  at  changing  govern¬ 
ment  programs  and  agency  policies  and  practices.” 
While  such  programs  can  be  administered  by  non- 
federal  entities,  for  example  state  governments, 
these  programs  are  most  often  administered  by  fed¬ 
eral  executive  branch  agencies.  Additionally,  con¬ 
gressional  changes  to  agency  policies  and  proce¬ 
dures  are  usually  those  of  federal  executive  branch 
agencies. 

“However,  with  the  more  Cimited 
definition  that  has  come  to 
prominence  since  the  passage  of 
the  VMHdict,  there  is  an  often 
forgotten  recipient  of  unfunded 
congressionaC mandates  once 
covered  under  the  definition — 
federah  executive  6ranch  agencies.  ” 

When  it  comes  to  funding  federal  agencies 
and/or  federal  programs  established  in  law  and 
executed  by  federal  executive  branch  agencies, 
there  is  a  two-step  process.  First,  an  authorization 
is  passed  that  establishes  either  the  agency  or  the 
federal  program.  The  authorization  outlines  the 
aim  of  the  program  and  sets  policies  that  agencies 
must  follow  during  implementation.  Additionally, 
the  authorization  establishes  a  funding  ceiling  for 
the  program.  The  authorization,  however,  does  not 
actually  provide  the  funding.  For  funding,  we  move 

4)  Haskell,  J.  (2010).  Congress  in  Context.  Jackson:  Westview  Press. 
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to  the  second  step,  an  appropriation.  An  appropria¬ 
tion,  when  passed,  actually  provides  the  funding 
for  the  agency  and/or  program  for  the  given  fiscal 
year.  The  appropriation,  however,  is  rarely  as  high 
as  the  funding  ceiling  established  in  the  authoriza¬ 
tion. 

“ ...the  federat  deficit  is  so  targe, 
that  the  onty  atternative  [eft 
for  imposing  so-catted nationat 
sotutions  is  to  impose 
unfunded  mandates. ;; 

While  the  funding  may  be  less  than  the  autho¬ 
rized  ceiling,  in  a  perfect  world  the  appropriation 
would  provide  the  agency  with  sufficient  funding  to 
adequately  implement  or  administer  the  program 
established  in  law.  However,  the  appropriation  is 
generally  set  based  on  budgetary  constraints  and 
not  necessarily  on  the  needs  of  the  program.  There¬ 
fore,  funding  levels  can  fall  well  below  the  actual 
amount  necessary  to  properly  implement  or  run  a 
program  or  to  achieve  all  of  the  program’s  aims.  In 
fact,  Senator  Kempthorne  was  quoted  as  stating, 
“[t]he  federal  government  no  longer  has  the  money 
to  fund  the  governmental  actions  it  wishes  to  see 
accomplished  throughout  the  country.  In  fact,  it 
has  not  had  the  money  to  do  this  for  many  years. 
Instead,  it  borrowed  for  a  long  time,  to  cover  those 
costs.  But  now  the  federal  deficit  is  so  large,  that 
the  only  alternative  left  for  imposing  so-called  na¬ 
tional  solutions  is  to  impose  unfunded  mandates.” 
Despite  the  lack  of  funding  from  Congress,  federal 
executive  branch  agencies  are  still  required,  by  law, 
to  implement  the  programs  passed  by  Congress. 

To  ensure  federal  executive  branch  agencies 
implement  the  programs  it  passes,  Congress  passed 
the  Inspector  General  Act  (as  amended),  which  es¬ 
tablished  an  office  of  inspector  general  in  most  fed¬ 
eral  executive  branch  departments  and  agencies. 
The  purpose  of  the  IG  Act  was  to  create  indepen¬ 
dent  and  objective  units  to  (1)  conduct  and  super- 


5)  Ibid. 

6)  Dilger,  R.,  &  Beth,  R.  (2011).  Unfunded  Mandates  Reform  Act:  History,  Impact,  and  Issues 
(R40957).  Washington  DC:  Congressional  Research  Service. 


vise  audits  and  investigations,  (2)  recommend  poli¬ 
cies  to  improve  operations  and  prevent  fraud  and 
(3)  to  keep  the  leadership  and  Congress  informed 
of  problems  and  their  associated  corrective  recom¬ 
mendations.  The  IG  Act  goes  on  to  state  that  it  is 
the  duty  of  each  inspector  general  to  (1)  provide 
policy  direction,  (2)  review  existing  and  proposed 
legislation  and  inform  Congress  of  the  impact  of 
such  legislation  on  the  agency,  (3)  promote  econ¬ 
omy  and  efficiency  and  (4)  keep  the  department 
and/or  agency  head  and  Congress  fully  informed 
of  problems. 

Paul  Light  points  out  that,  to  comply  with  the 
IG  Act,  inspectors  general  rely  heavily  on  com¬ 
pliance  accountability.  However,  there  are  actu¬ 
ally  three  possible  approaches  to  accountability  in 
government.  “The  first  approach,  compliance  ac¬ 
countability,  rests  on  efforts  to  assure  conformity 
with  carefully  drawn  rules  and  regulations.  Using 
negative  sanctions  targeted  primarily  at  individu¬ 
als  inside  or  outside  (for  example,  contracts  and 
beneficiaries)  of  government,  compliance  account¬ 
ability  places  its  faith  in  correcting  problems  after 
they  occur  and  in  the  deterrence  value  of  visible 
punishment.  The  second  approach,  performance 
accountability,  centers  on  the  establishment  of  in¬ 
centives  and  rewards  for  desired  outcomes.  Using 
positive  sanctions,  again  targeted  primarily  at  in¬ 
dividuals,  performance  accountability  puts  its  em¬ 
phasis  on  moving  individuals  toward  the  preferred 
results  from  the  beginning.  The  third  approach, 
capacity-based  accountability,  involves  the  cre¬ 
ation  of  organizational  competence  through  tech¬ 
nologies — people,  systems  and  structures — and  the 


7)  Light,  R  C.  (1993).  Monitoring  Government:  Inspectors  General  and  the  Search  for  Ac¬ 
countability.  Washington:  The  Brookings  Institute  and  The  Governance  Institute. 
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maintenance  of  the  conditions  of  success  through 
initial  investment.  With  the  availability  of  adequate 
resources,  capacity  building  focuses  on  building  or¬ 
ganizations  that  are  staffed,  trained,  structured  and 
equipped  to  be  effective.” 

In  short,  compliance  accountability  looks  for 
errors  that  have  already  occurred  and  focuses  on 
correcting  those  problems.  Performance  account¬ 
ability  (or  economy  and  efficiency  reviews)  is  de¬ 
signed  to  help  agencies  perform  their  mission  in 
the  most  economical  manner  possible.  Put  another 
way,  they  help  the  agency  meet  mission  require¬ 
ments  while  using  less  resources.  Capacity-based 
accountability  helps  new  agencies  “come  on  line” 
with  the  most  effective  and  efficient  organizational 
operation  from  the  very  beginning. 

While  the  IG  Act  allows  for  all  three  types  of 
reviews,  most  inspectors  general  rely  “almost  ex¬ 
clusively  on  compliance”  reviews.  A  review  of  the 
mission  statements  of  several  of  the  larger  inspec¬ 
tors  general  supports  Light’s  assertion.  The  mission 
statements  focus  on  oversight  from  the  standpoint 
of  compliance  types  of  reviews  versus  a  focus  on 
performance  accountability  or  capacity-based  ac¬ 
countability  (as  defined  by  Light).  For  example,  a 
review  of  the  Department  of  the  Treasury’s  inspec¬ 
tor  general  website  disclosed  that  the  inspector 
general’s  focus  is  on  keeping  “both  the  Secretary 
and  the  Congress  fully  informed  about  the  prob¬ 
lems  and  deficiencies  relating  to  the  administration 
of  the  department  programs  and  operations  and 
the  necessity  for  corrective  action.” 

This  highly-focused  compliance  viewpoint  is 
understandable.  Inspectors  general  had  that  out¬ 
look  almost  from  the  beginning.  Specifically,  look¬ 
ing  back  at  the  history  of  inspectors  general,  we 
see  the  same  limitation.  Most  reviews  focused  on 
compliance  monitoring.  In  fact,  “in  one  of  the  first 
resolutions  passed,  the  Continental  Congress  es¬ 
tablished  an  IG,  concluding  that  it  was  essential  to 
the  promotion  of  discipline  in  the  American  Army, 
and  to  the  reformation  of  the  various  abuses  which 
prevail  in  the  different  departments.”  Essentially, 
inspectors  general  were  established  because  of 
scandals  surrounding  the  Colonial  army  and  their 


8)  Ibid. 

9)  Ibid. 

10)  Treasury  OIG.  (2011,  May  1 1).  Inspector  General.  Retrieved  October  16, 201 1,from 
Department  of  the  Treasury:  http://www.treasury.gov/about/organizational-structure/ig/ 
Pages/about.aspx. 

11)  Light,  P.  C.  (1993).  Monitoring  Government:  Inspectors  General  and  the  Search  for  Ac¬ 
countability.  Washington:  The  Brookings  Institute  and  The  Governance  Institute. 


focus  was  on  ensuring  compliance  with  governing 
policy. 

Another  reason  inspectors  general  tend  to  fo¬ 
cus  on  compliance  reviews  is  because  “compliance 
monitoring  yields  more  attractive  results  politi¬ 
cally.”  “Compliance  monitoring  not  only  generates 
a  much  greater  volume  of  findings  of  failure,  and 
therefore  higher  visibility, . . .  but  also  produces  rec¬ 
ommendations  for  actions  that  are  less  expensive, 
more  politically  palatable,  cleaner  jurisdictionally, 
and  faster  to  implement.”  As  Schwartz  so  aptly 
stated,  “justly  or  unjustly,  time  spent  putting  out 
visible  fires  gains  one  more  credit  than  the  same 
time  spent  sniffing  for  smoke.”  Specifically,  “a 
high  degree  of  political  consensus  surrounds  the 
simple  goal  of  most  compliance  recommendations: 
to  punish  the  cheaters  and  abusers.” 

However,  “compliance  accountability  places  its 
faith  in  correcting  problems  after  they  occur  and 
in  the  deterrence  value  of  visible  punishment.” 
In  short,  compliance  reviews  look  at  the  program’s 
adherence  to  regulatory  or  legal  requirements  and 
then  reports  on  the  success  or  failure  of  compliance 


with  those  requirements.  Additionally,  following 
identification  of  any  failures  to  comply  with  the  re¬ 
quirements,  the  resulting  Office  of  Inspector  Gen¬ 
eral  report  will  contain  recommendations,  based 
on  the  cause  of  the  noncompliance,  identifying  ac¬ 
tions  the  agency  should  take  to  come  into  compli¬ 
ance  with  the  requirements. 


12)  Ibid. 

13)  Schwartz,  T.  (1989).  Checks,  Balances,  and  Bureaucratic  Usurpation  of  Congressional 
Power.  In  B.  W.  Grofman,The  Federalist  Papers  and  the  New  Institutionalism  (pp.  150-157). 
New  York:  Agathon  Press. 

1 4)  Light,  P.  C.  (1 993).  Monitoring  Government:  Inspectors  General  and  the  Search  for  Ac¬ 
countability.  Washington:  The  Brookings  Institute  and  The  Governance  Institute. 

15)  Ibid. 
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When  conducting  a  compliance-focused  audit, 
inspection  or  evaluation  of  a  federal  executive 
branch  agency  that  is  designed  to  validate  the 
agency’s  compliance  with  Congressional  mandates 
passed  in  public  laws,  it  has  become  more  common 
to  learn  that  the  cause  of  noncompliance  is  because 
the  agency  simply  lacks  the  staff,  money  or  other 
resources  necessary  to  comply  with  the  requirement. 
Essentially,  the  problem  exists  due  to  an  unfunded 
Congressional  mandate.  For  example,  a  recent 
evaluation  of  a  Bureau  of  Land  Management  Field 
Office  examined  annual  oil  and  gas  inspection 
and  enforcement  efforts.  The  evaluation  disclosed 
that  the  Federal  Oil  and  Gas  Royalty  Management 
Act  of  1982  required  BLM  field  offices  to  annually 
inspect  all  high-priority  federal  and  Indian  cases 
and  33  percent  of  low-priority  cases.  For  the  field 
office  visited,  implementation  of  FOGRMA  meant 
that  it  was  required  to  conduct  742  oil  and  gas 
inspection  and  enforcement  activities  for  the  year 
reviewed.  However,  the  field  office  set  their  target 
for  that  year  at  only  542  activities — 200  below  the 
number  required  by  FOGRMA.  When  questioned, 
field  office  management  indicated  this  was  because 
they  simply  did  not  have  the  staff  to  perform 
the  number  of  activities  FOGRMA  required. 
Additionally,  not  only  was  the  target  set  well  below 
the  number  FOGRMA  required,  the  field  office 
was  unable  to  even  complete  the  targeted  number 
of  inspections  because  it  did  not  have  the  staff 
necessary  to  complete  the  activities  and  did  not 
have  the  money  to  hire  more. 

Responses  from  agency  officials  claiming 
noncompliance  with  program  mandates  as  a 
result  of  an  unfunded  Congressional  mandate 

“With  shrinking  6udgets  in  the 
federaC  arena,  any  potentiaf 
solution  to  this  quandary  needs 
to  ac  know  hedge  the  fact  that 
more  resources  are  untikeCy  to  6e 
appropriated 6y  Congress...  ” 


makes  determining  what  to  review  and/or  what 
to  recommend  difficult  for  the  inspectors  general 
community.  First,  reviews  conducted  by  an  office 
of  inspector  general  normally  do  not  include  a 
review  of  whether  appropriate  resources  have 
been  authorized  or  funded.  Second,  when 
noncompliance  exists  as  a  result  of  an  unfunded 
Congressional  mandate,  recommendations  to 
correct  the  problem  are  difficult  to  craft.  Agencies 
generally  already  know  they  are  noncompliant, 
but  lack  the  resources  necessary  to  comply  with 
the  Congressional  mandate.  In  such  cases,  simply 
recommending  they  come  into  compliance  will 
either  not  correct  the  problem  because  they  lack  the 
resources  to  come  into  compliance,  or  it  forces  the 
agency  to  divert  resources  from  another  program, 
thereby  simply  shifting  the  noncompliance  problem 
from  one  program  area  to  another.  Both  result 
are  counterproductive  and  wasteful.  However,  an 
agency’s  noncompliance  with  laws  or  regulations 
is  also  unacceptable.  As  a  result,  the  inspectors 
general  community  is  faced  with  a  quandary  in 
these  situations. 

With  shrinking  budgets  in  the  federal  arena, 
any  potential  solution  to  this  quandary  needs  to 
acknowledge  the  fact  that  more  resources  are  un¬ 
likely  to  be  appropriated  by  Congress — to  either 
the  inspectors  general  or  the  agencies  they  over¬ 
see.  Despite  a  lack  of  additional  resources,  research 
identified  five  potential  alternative  solutions  to  this 
quandary:  (1)  As  advocated  by  Light,  16  inspectors 
general  can  begin  conducting  more  performance 
reviews  (helping  agencies  perform  their  mission  in 


16)  Ibid. 
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the  most  economical  manner  possible)  compared 
with  compliance  reviews  (finding  noncompliance 
with  requirements  after  the  fact);  (2)  Instead  of 
moving  away  from  compliance  reviews,  inspec¬ 
tors  general  can  add  a  resource  assessment  compo¬ 
nent  to  compliance  reviews,  to  assess  the  resources 
available  compared  to  the  resources  required, 
when  the  cause  of  noncompliance  is  reported  to 
be  a  lack  of  resources;  (3)  Like  the  state  and  local 
governments,  the  inspectors  general  community 
can  begin  lobbying  Congress  to  have  either  federal 
executive  branch  agencies  added  to  the  UMR  Act 
or  a  separate,  but  similar,  act  passed  covering  fed¬ 
eral  executive  branch  agencies;  (4)  Inspectors  gen¬ 
eral  can  review  existing  and  proposed  legislation  or 
regulations  related  to  programs  of  the  agencies  they 
oversee  and  make  recommendations  in  the  Semi- 
Annual  Report  to  Congress  concerning  the  impact 
of  such  legislation  or  regulations  on  the  adminis¬ 
tration  of  the  programs;  (5)  As  is  always  available, 
the  inspectors  general  can  also  choose  to  do  noth¬ 
ing  to  address  the  situations  and  live  with  them. 

Once  we  identified  the  potential  solutions,  we 
created  a  matrix  of  the  five  alternatives  and  com¬ 
pared  and  evaluated  each  alternative  against  three 
different  sets  of  criteria.  Specifically,  each  alterna¬ 
tive  was  evaluated  against:  (1)  The  three  purposes 
of  the  IG  Act.  If  the  alternative  did  not  meet  all 
three  purposes  of  the  IG  Act,  it  would  have  to  be 
eliminated  as  an  alternative  since  it  would  not  be  in 
compliance  with  the  law.  (2)  The  four  responsibili¬ 
ties  of  the  IG  Act.  If  the  alternative  did  not  meet  at 
least  one  responsibility  of  the  IG  Act,  it  would  have 
to  be  eliminated  as  an  alternative  since  it  would 
not  be  in  compliance  with  the  law.  (3)  Five  overall 
questions  developed  to  identify  the  alternative  with 


“However  annual funding 
amounts  in  appropriations  are 
genera  ffy  set  6asecCon  Budgetary 
constraints  and  not  on  the 
agency's  or  program's  actuaf 
resource  requirements  necessary  to 
impfement  the  mandates  or  meet 
the  goafs. " 

the  highest  probability  of  successful  implementa¬ 
tion. 

Based  on  the  matrix  and  the  analysis  conduct¬ 
ed,  the  best  alternative  for  implementation  is  the 
alternative  to  review  existing  and  proposed  legisla¬ 
tion.  Additionally,  of  all  four  of  the  alternatives  that 
required  change,  this  alternative  is  probably  the 
least  controversial  and  easiest  to  implement.  This 
is  because  the  alternative  can  be  implemented  in¬ 
side  just  one  component  office  inside  an  individual 
office  of  inspector  general.  As  a  result,  significant 
resistance  from  staff  uncomfortable  with  change  is 
unlikely  since  very  few  individuals  within  the  of¬ 
fice  of  inspector  general  would  be  affected.  Further, 
each  office  of  inspector  general  can  implement  the 
alternative  independent  of  the  inspectors  general 
community.  While  implementation  of  the  alterna¬ 
tive  would  benefit  all  inspectors  general,  the  success 
or  failure  of  implementation  of  the  alternative  in  a 
given  office  of  inspector  general  would  not  rely  on 
cooperation  across  the  inspectors  general  commu¬ 
nity.  This  would  make  successful  implementation 
more  feasible.  Consequently,  each  Office  of  Inspec¬ 
tor  General  should  implement  the  alternative  to  re¬ 
view  existing  and  proposed  legislation  affecting  the 
programs,  agencies  and  department  they  oversee. 

Inspectors  general  should  ensure,  however,  as 
part  of  reviewing  existing  and  proposed  legislation, 
that  not  only  authorizations  are  reviewed  but  that 
annual  appropriations  are  reviewed  as  well.  Even 
those  inspectors  general  who  currently  have  proce¬ 
dures  in  place  to  review  existing  and  proposed  leg¬ 
islation  focus  their  reviews  on  authorizations  since 
authorizations  outline  the  aim  of  the  program  and 
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“Ji  pro6Cem — any  pro6Cem — cannot 
6e  fixed  if  no  one  knows  it  exists.  ” 

sets  policies  that  the  agencies  must  follow,  informa¬ 
tion  necessary  to  evaluate  an  agencies  compliance, 
or  noncompliance,  with  a  mandate.  Therefore,  au¬ 
thorizations  are  reviewed  with  an  eye  toward  com¬ 
pliance  reviews  since,  as  we  stated  earlier,  there 
appears  to  be  significant  support  for  a  focus  on 
compliance  reviews  from  Congress  and,  inspec¬ 
tors  general  have  gotten  very  good  at  conducting 
them.  By  ensuring  that  annual  appropriations  are 
reviewed,  inspectors  general  can  also  provide  Con¬ 
gress — in  the  Semi  Annual  Report  to  Congress — 
a  simple  and  effective  way  to  compare  the  level  of 
funding  thought  to  be  required  for  the  program 
or  agency  to  operate  successfully  (identified  in  the 
authorization)  and  the  actual  level  of  funding  pro¬ 
vided  to  operate  the  program  or  agency  (identified 
in  the  appropriation). 

CONCLUSION 

Annual  funding  in  appropriations  for  agencies  and 
programs  are  rarely  as  high  as  funding  ceilings  es¬ 
tablished  in  authorizations.  When  establishing  a 
funding  ceiling  authorization,  legislators  should 
be  reviewing  the  mandates  and  goals  established 
for  the  agency  or  program  in  the  authorization 
and  then  establishing  a  ceiling  that  only  allows  the 
mandates  and  goals  to  be  met.  In  a  perfect  world, 
annual  appropriations  would  then  provide  suffi¬ 
cient  funding  to  adequately  implement  or  adminis¬ 
ter  the  agency  or  program  and  ensure  the  agency’s 
or  programs  mandates  and  goals,  as  established  in 
law,  were  met.  However,  annual  funding  amounts 
in  appropriations  are  generally  set  based  on  bud¬ 
getary  constraints  and  not  on  the  agency’s  or  pro¬ 
gram’s  actual  resource  requirements  necessary  to 
implement  the  mandates  or  meet  the  goals. 

Alternatives,  which  allow  the  inspectors  gen¬ 
eral  community  to  help  the  agencies  they  oversee 
meet  unfunded  congressional  mandates,  are  lim¬ 


ited  by  the  mandates  that  Congress  has  imposed  on 
the  inspectors  general  community  itself. 

However,  a  careful  review  of  governing  legisla¬ 
tion  disclosed  a  number  of  alternatives  available  to 
the  inspectors  general  community,  which  had  the 
potential  to  help  agencies  address  the  unfunded 
Congressional  mandate  problem.  Based  on  the 
analysis  conducted  of  the  available  alternatives, 
the  best  way  for  inspector  general’s  offices  to  help 
the  agencies  they  oversee  is  to  review  existing  and 
proposed  legislation  that  relates  to  the  agencies  it 
oversees  and  make  recommendations  in  the  Semi 
Annual  Report  to  Congress  concerning  the  impact 
of  such  legislation  on  the  agency’s  resources — in¬ 
cluding  funding — or  its  ability  to  administer  the 
programs  and  meet  mandates.  This  review  should 
also  include  a  comparison  of  each  program’s  autho¬ 
rization  compared  to  its  annual  appropriation. 

While  implementation  of  this  alternative  will 
not  prevent  Congress  from  imposing  unfunded 
congressional  mandates  on  federal  executive  branch 
agencies,  passage  of  the  UMR  Act  did  not  prevent 
Congress  from  imposing  unfunded  Congressional 
mandates  on  state  and  local  governments  either.  In¬ 
stead,  implementation  of  this  alternative  will  bring 
specific  cases  of  unfunded  congressional  mandates 
on  federal  executive  branch  agencies  to  light.  As  a 
result,  like  the  UMR  Act  exposed  the  problem  re¬ 
lated  to  state  and  local  governments  and  resulted  in 
a  decrease  of  unfunded  Congressional  mandates  on 
those  institutions,  exposing  the  problem  related  to 
federal  executive  branch  agencies  should  result  in  a 
decrease  in  the  number  of  unfunded  congressional 
mandates  imposed  on  these  agencies. 

A  problem — any  problem — cannot  be  fixed  if 
no  one  knows  it  exists.  Offices  of  Inspectors  Gen¬ 
eral  have  demonstrated  a  noteworthy  ability  to 
identify  and  expose  problems.  Implementation  of 
an  alternative  to  review  existing  and  proposed  leg¬ 
islation,  identify  cases  of  insufficient  funding  and 
notify  Congress  of  problems  identified  plays  direct¬ 
ly  into  one  of  the  major  strengths  of  every  Office  of 
Inspector  General,  so 
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moted  to  the  Central  Region  deputy  regional  audit 
manager  position  in  Denver,  where  she  supervised 
as  many  as  30  projects  at  a  time,  while  taking  care  of 
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Inspector  General  Act  of  1978, 
as  amended 

Title  5,  U.S.  Code,  Appendix 

2.  Purpose  and  establishment  of  Offices  of  Inspector  General 
departments  and  agencies  involved 

In  order  to  create  independent  and  objective  units- 

(1)  to  conduct  and  supervise  audits  and  investigations 
relating  to  the  programs  and  operations  of  the 
establishments  listed  in  section  1 1(2); 

(2)  to  provide  leadership  and  coordination  and  recommend 
policies  for  activities  designed  (A)  to  promote  economy,  efficiency, 
and  effectiveness  in  the  administration  of,  and  (B)  to  prevent  and 
detect  fraud  and  abuse  in,  such  programs  and  operations;  and 

(3)  to  provide  a  means  for  keeping  the  head  of  the  establishment 
and  the  Congress  fully  and  currently  informed  about  problems 
and  deficiencies  relating  to  the  administration  of  such 
programs  and  operations  and  the  necessity  for  and 
progress  of  corrective  action; 


